Forum Discussion

Kaloyan's avatar
Kaloyan
Icon for Cirrus rankCirrus
Mar 17, 2020
Solved

Certain Cipher suites are not shown in ssl server test

Hi, I am running version 15.1.0.

I configured client-ssl profile with cipher group as I need to enable TLSv1.3

The cipher group has a rule which enables certain cipher suites only:

TLSv1_3:ECDHE_ECDSA+AES-GCM:ECDHE+AES-GCM:ECDHE+AES:ECDHE_ECDSA+CHACHA20-POLY1305:ECDHE+CHACHA20-POLY1305:!DHE+AES-GCM:!TLSv1:!TLSv1_1:!ECDHE+AES:@STRENGTH

With this I am receiving the following into the Rule Audit tab:

Cipher Suites

  • TLS13-AES256-GCM-SHA384/TLS1.3
  • TLS13-CHACHA20-POLY1305-SHA256/TLS1.3
  • ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2
  • ECDHE-RSA-AES256-GCM-SHA384/TLS1.2
  • ECDHE-ECDSA-CHACHA20-POLY1305-SHA256/TLS1.2
  • ECDHE-RSA-CHACHA20-POLY1305-SHA256/TLS1.2
  • TLS13-AES128-GCM-SHA256/TLS1.3
  • ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2
  • ECDHE-RSA-AES128-GCM-SHA256/TLS1.2

DH Groups

  • DEFAULT

Signature Algorithms

  • DEFAULT

The problem is when I check the site into ssl labs , it gives me only these ciphers :

Cipher Suites

# TLS 1.3 (suites in server-preferred order)

TLS_AES_256_GCM_SHA384 (0x1302)ECDH secp384r1 (eq. 7680 bits RSA)   FS256

TLS_CHACHA20_POLY1305_SHA256 (0x1303)ECDH secp384r1 (eq. 7680 bits RSA)   FS256

TLS_AES_128_GCM_SHA256 (0x1301)ECDH secp384r1 (eq. 7680 bits RSA)   FS128

# TLS 1.2 (suites in server-preferred order)

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)ECDH secp384r1 (eq. 7680 bits RSA)   FS256

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)ECDH secp384r1 (eq. 7680 bits RSA)   FS256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)ECDH secp384r1 (eq. 7680 bits RSA)   FS128

 

TLSv1.3 is enabled into the client-ssl profile

no-tlsv1.1

no-tlsv1

I also have serverssl profile attached to the VIP. Cannot find a way to see ECDHE-ECDSA into the ssl labs...

  • Yes, they are properly assigned. When I change the CIpher rule which is:

    TLSv1_3:ECDHE_ECDSA+AES-GCM:ECDHE+AES-GCM:ECDHE+AES:ECDHE_ECDSA+CHACHA20-POLY1305:ECDHE+CHACHA20-POLY1305:!DHE+AES-GCM:!TLSv1:!TLSv1_1:!ECDHE+AES:@STRENGTH

     

    I see differencies when checking the ciphers but only ECDHE_ECDSA are not visible into the ssllabs.

    I even tried with openssl and sslscan tools via linux and didn't saw it as well....

    I just found out the reason. The certificate is created as RSA. which means :

    RSA: Specifies that the key is based on the RSA public key encryption algorithm.              

    So no ECDSA will be presented even allowed in the cipher suite....

8 Replies

  • Yes, they are properly assigned. When I change the CIpher rule which is:

    TLSv1_3:ECDHE_ECDSA+AES-GCM:ECDHE+AES-GCM:ECDHE+AES:ECDHE_ECDSA+CHACHA20-POLY1305:ECDHE+CHACHA20-POLY1305:!DHE+AES-GCM:!TLSv1:!TLSv1_1:!ECDHE+AES:@STRENGTH

     

    I see differencies when checking the ciphers but only ECDHE_ECDSA are not visible into the ssllabs.

    I even tried with openssl and sslscan tools via linux and didn't saw it as well....

    I just found out the reason. The certificate is created as RSA. which means :

    RSA: Specifies that the key is based on the RSA public key encryption algorithm.              

    So no ECDSA will be presented even allowed in the cipher suite....

    • Lidev's avatar
      Lidev
      Icon for MVP rankMVP

      Yeah, that makes sense, don't forget to mark your question as solved.

    • Evergrim's avatar
      Evergrim
      Icon for Altocumulus rankAltocumulus

      Thanks a lot... spent the whole day on the same issue. Sometimes it is that easy 😄

       

  • Hi Lidev,

    If I test www.google.com in the same ssl lab site, I see the ciphers which are missing on mine:

     1.2 (suites in server-preferred order)

    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (

    0xc02b

    )ECDH x25519 (eq. 3072 bits RSA) FS128TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (

    0xcca9

    )ECDH x25519 (eq. 3072 bits RSA) FS256PTLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (

    0xc02c

    )ECDH x25519 (eq. 3072 bits RSA) FS256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (

    0xc009

    )  ECDH x25519 (eq. 3072 bits RSA) FS   WEAK128TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (

    0xc00a

    )  ECDH x25519 (eq. 3072 bits RSA) FS   WEAK256

     

    I tried even DEFAULT ciphers only and still cannot see ECDHE_ECDSA ones in the site.

    tmm --clientciphers DEFAULT is clearly shows that they are supported...

    First time dealing with version 15 and cipher groups, but wonder what I am missing....

     

    • Lidev's avatar
      Lidev
      Icon for MVP rankMVP

      Did you create a Ciphers Group ( Local Traffic >> Ciphers : Groups) and associate your Ciphers Rules with this group?

    • Lidev's avatar
      Lidev
      Icon for MVP rankMVP

      Group ciphers\ cipher suites are well assigned to the SSL Client profile ? and the SSL profile to the Virtual Server ?