cancel
Showing results for 
Search instead for 
Did you mean: 

Certain Cipher suites are not shown in ssl server test

Kaloyan
Cirrus
Cirrus

Hi, I am running version 15.1.0.

I configured client-ssl profile with cipher group as I need to enable TLSv1.3

The cipher group has a rule which enables certain cipher suites only:

TLSv1_3:ECDHE_ECDSA+AES-GCM:ECDHE+AES-GCM:ECDHE+AES:ECDHE_ECDSA+CHACHA20-POLY1305:ECDHE+CHACHA20-POLY1305:!DHE+AES-GCM:!TLSv1:!TLSv1_1:!ECDHE+AES:@STRENGTH

With this I am receiving the following into the Rule Audit tab:

Cipher Suites

  • TLS13-AES256-GCM-SHA384/TLS1.3
  • TLS13-CHACHA20-POLY1305-SHA256/TLS1.3
  • ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2
  • ECDHE-RSA-AES256-GCM-SHA384/TLS1.2
  • ECDHE-ECDSA-CHACHA20-POLY1305-SHA256/TLS1.2
  • ECDHE-RSA-CHACHA20-POLY1305-SHA256/TLS1.2
  • TLS13-AES128-GCM-SHA256/TLS1.3
  • ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2
  • ECDHE-RSA-AES128-GCM-SHA256/TLS1.2

DH Groups

  • DEFAULT

Signature Algorithms

  • DEFAULT

The problem is when I check the site into ssl labs , it gives me only these ciphers :

Cipher Suites

# TLS 1.3 (suites in server-preferred order)

TLS_AES_256_GCM_SHA384 (0x1302)ECDH secp384r1 (eq. 7680 bits RSA)   FS256

TLS_CHACHA20_POLY1305_SHA256 (0x1303)ECDH secp384r1 (eq. 7680 bits RSA)   FS256

TLS_AES_128_GCM_SHA256 (0x1301)ECDH secp384r1 (eq. 7680 bits RSA)   FS128

# TLS 1.2 (suites in server-preferred order)

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)ECDH secp384r1 (eq. 7680 bits RSA)   FS256

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)ECDH secp384r1 (eq. 7680 bits RSA)   FS256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)ECDH secp384r1 (eq. 7680 bits RSA)   FS128

 

TLSv1.3 is enabled into the client-ssl profile

no-tlsv1.1

no-tlsv1

I also have serverssl profile attached to the VIP. Cannot find a way to see ECDHE-ECDSA into the ssl labs...

1 ACCEPTED SOLUTION

Kaloyan
Cirrus
Cirrus

Yes, they are properly assigned. When I change the CIpher rule which is:

TLSv1_3:ECDHE_ECDSA+AES-GCM:ECDHE+AES-GCM:ECDHE+AES:ECDHE_ECDSA+CHACHA20-POLY1305:ECDHE+CHACHA20-POLY1305:!DHE+AES-GCM:!TLSv1:!TLSv1_1:!ECDHE+AES:@STRENGTH

 

I see differencies when checking the ciphers but only ECDHE_ECDSA are not visible into the ssllabs.

I even tried with openssl and sslscan tools via linux and didn't saw it as well....

I just found out the reason. The certificate is created as RSA. which means :

RSA: Specifies that the key is based on the RSA public key encryption algorithm.              

So no ECDSA will be presented even allowed in the cipher suite....

View solution in original post

7 REPLIES 7

Lidev
MVP
MVP

Hi Kaloyan,

 

It looks like ECDHE-ECDSA is not yet implemented on the Qualys SSL Labs test.

REF - https://discussions.qualys.com/thread/19431-tlsv13-and-ecdsa-not-tested

 

Have you tried with other SSL scan sites?

https://observatory.mozilla.org/ or https://tls.imirhil.fr/

 

Regards

Kaloyan
Cirrus
Cirrus

Hi Lidev,

If I test www.google.com in the same ssl lab site, I see the ciphers which are missing on mine:

 1.2 (suites in server-preferred order)

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (

0xc02b

)ECDH x25519 (eq. 3072 bits RSA) FS128TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (

0xcca9

)ECDH x25519 (eq. 3072 bits RSA) FS256PTLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (

0xc02c

)ECDH x25519 (eq. 3072 bits RSA) FS256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (

0xc009

)  ECDH x25519 (eq. 3072 bits RSA) FS   WEAK128TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (

0xc00a

)  ECDH x25519 (eq. 3072 bits RSA) FS   WEAK256

 

I tried even DEFAULT ciphers only and still cannot see ECDHE_ECDSA ones in the site.

tmm --clientciphers DEFAULT is clearly shows that they are supported...

First time dealing with version 15 and cipher groups, but wonder what I am missing....

 

Did you create a Ciphers Group ( Local Traffic >> Ciphers : Groups) and associate your Ciphers Rules with this group?

Kaloyan
Cirrus
Cirrus

Yes, they are in place 0691T000008Ge05QAC.png

0691T000008Ge0AQAS.png

Group ciphers\ cipher suites are well assigned to the SSL Client profile ? and the SSL profile to the Virtual Server ?

Kaloyan
Cirrus
Cirrus

Yes, they are properly assigned. When I change the CIpher rule which is:

TLSv1_3:ECDHE_ECDSA+AES-GCM:ECDHE+AES-GCM:ECDHE+AES:ECDHE_ECDSA+CHACHA20-POLY1305:ECDHE+CHACHA20-POLY1305:!DHE+AES-GCM:!TLSv1:!TLSv1_1:!ECDHE+AES:@STRENGTH

 

I see differencies when checking the ciphers but only ECDHE_ECDSA are not visible into the ssllabs.

I even tried with openssl and sslscan tools via linux and didn't saw it as well....

I just found out the reason. The certificate is created as RSA. which means :

RSA: Specifies that the key is based on the RSA public key encryption algorithm.              

So no ECDSA will be presented even allowed in the cipher suite....

Yeah, that makes sense, don't forget to mark your question as solved.