17-Mar-2020 02:04
Hi, I am running version 15.1.0.
I configured client-ssl profile with cipher group as I need to enable TLSv1.3
The cipher group has a rule which enables certain cipher suites only:
TLSv1_3:ECDHE_ECDSA+AES-GCM:ECDHE+AES-GCM:ECDHE+AES:ECDHE_ECDSA+CHACHA20-POLY1305:ECDHE+CHACHA20-POLY1305:!DHE+AES-GCM:!TLSv1:!TLSv1_1:!ECDHE+AES:@STRENGTH
With this I am receiving the following into the Rule Audit tab:
Cipher Suites
DH Groups
Signature Algorithms
The problem is when I check the site into ssl labs , it gives me only these ciphers :
# TLS 1.3 (suites in server-preferred order)
TLS_AES_256_GCM_SHA384 (0x1302)ECDH secp384r1 (eq. 7680 bits RSA) FS256
TLS_CHACHA20_POLY1305_SHA256 (0x1303)ECDH secp384r1 (eq. 7680 bits RSA) FS256
TLS_AES_128_GCM_SHA256 (0x1301)ECDH secp384r1 (eq. 7680 bits RSA) FS128
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)ECDH secp384r1 (eq. 7680 bits RSA) FS256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)ECDH secp384r1 (eq. 7680 bits RSA) FS256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)ECDH secp384r1 (eq. 7680 bits RSA) FS128
TLSv1.3 is enabled into the client-ssl profile
no-tlsv1.1
no-tlsv1
I also have serverssl profile attached to the VIP. Cannot find a way to see ECDHE-ECDSA into the ssl labs...
Solved! Go to Solution.
17-Mar-2020 08:43
Yes, they are properly assigned. When I change the CIpher rule which is:
I see differencies when checking the ciphers but only ECDHE_ECDSA are not visible into the ssllabs.
I even tried with openssl and sslscan tools via linux and didn't saw it as well....
I just found out the reason. The certificate is created as RSA. which means :
RSA: Specifies that the key is based on the RSA public key encryption algorithm.
So no ECDSA will be presented even allowed in the cipher suite....
View solution in original post
17-Mar-2020 03:27
Hi Kaloyan,
It looks like ECDHE-ECDSA is not yet implemented on the Qualys SSL Labs test.
REF - https://discussions.qualys.com/thread/19431-tlsv13-and-ecdsa-not-tested
Have you tried with other SSL scan sites?
https://observatory.mozilla.org/ or https://tls.imirhil.fr/
Regards
17-Mar-2020 05:53
Hi Lidev,
If I test www.google.com in the same ssl lab site, I see the ciphers which are missing on mine:
1.2 (suites in server-preferred order)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (
0xc02b
)ECDH x25519 (eq. 3072 bits RSA) FS128TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (
0xcca9
)ECDH x25519 (eq. 3072 bits RSA) FS256PTLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (
0xc02c
)ECDH x25519 (eq. 3072 bits RSA) FS256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (
0xc009
) ECDH x25519 (eq. 3072 bits RSA) FS WEAK128TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (
0xc00a
) ECDH x25519 (eq. 3072 bits RSA) FS WEAK256
I tried even DEFAULT ciphers only and still cannot see ECDHE_ECDSA ones in the site.
tmm --clientciphers DEFAULT is clearly shows that they are supported...
First time dealing with version 15 and cipher groups, but wonder what I am missing....
17-Mar-2020 06:19
Did you create a Ciphers Group ( Local Traffic >> Ciphers : Groups) and associate your Ciphers Rules with this group?
17-Mar-2020 06:57
Yes, they are in place
17-Mar-2020 07:11
Group ciphers\ cipher suites are well assigned to the SSL Client profile ? and the SSL profile to the Virtual Server ?
17-Mar-2020 23:53
Yeah, that makes sense, don't forget to mark your question as solved.
