Forum Discussion
JD1
Altostratus
AltostratusTMUI / Configuration WebUI - TLS/SSL Configuration - ECDHE
Hi All,
I'm currently using BIG-IP 11.6.2 HF1.
I'm required to secure the Management WebUI ciphers offered out.
I'd prefer to drop all key exchange methods except for ECDHE.
However, it seems...
But the point being is that the command sys httpd ssl-ciphersuite on 11.6.x, doesn't seem to then correctly configure Apache services to use this for the TMUI.
i understand this has been corrected in 12.0.
Hi JD,
It is possible to disable all cipher suites other than the ones using ECDHE by appending ':!kDH:!kEDH:!kRSA' (without the quotes) to your cipher string within httpd. That should disable all DH, EDH/DHE, RSA key exchange based cipher suites. We need to specify the 'k' when enabling/disabling a certain key exchange when you modify the string on httpd, as it's based on the openssl stack. When enabling/disabling them within the SSL profiles, you don't need to specify that, because that is natively built into TMM and you can simply specify ':!DHE:!DH:!RSA' (without the quotes) to disable those key exchange based cipher suites.
Please let me know if this answers your question.
JD1Altostratus
AltostratusHi Ashwin,
Absolutely, I also see openssl ciphers show the availability of ECDHE in the compiled openssl version (mentioned in original question).
But the point being is that the command
sys httpd ssl-ciphersuiteI think you're confirming my suspicions, with mod_ssl possibly being outdated.
(If you want to update your original answer, I'll mark as solved by it and accept we have to upgrade).
Thanks,
JD