cancel
Showing results for 
Search instead for 
Did you mean: 

Client cipher always wins, even with Cipher server preference option set

Jozef_Hamar
Altostratus
Altostratus

Hey Team,

 

I have a requirement to prefer some server cipher suites over others (server's preference) in one of the LTM VS we use. I used a custom Cipher Suite in my Client-SSL Profile and set the "Cipher server preference" options. The F5, however, seems to ignore this option and the cipher that wins the selection is always the one on top of the Client's list. To demonstrate the issue, I used openssl s_client (below) with ssldump on the F5. I found few articles suggesting that this option is a known troublemaker, but all of it seem to describe an opposite issue: people have problems to force the Client list to be used (client's preferences).

 

I'm running BIG-IP LTM 12.1.5.2 on 4200v platform.

 

Client:

openssl s_client -connect S.S.S.S:443 -cipher 'AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384'

F5 ssldump output:

New TCP connection #1: C.C.C.C(35587) <-> S.S.S.S(443)

1 1  0.0005 (0.0005)  C>S  Handshake

      ClientHello

        Version 3.3

        cipher suites

        TLS_RSA_WITH_AES_128_GCM_SHA256

        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

        TLS_EMPTY_RENEGOTIATION_INFO_SCSV

        compression methods

                  NULL

1 2  0.0005 (0.0000)  S>C  Handshake

      ServerHello

        Version 3.3

        session_id[32]=

          56 bc f9 f6 ea 40 ac 1b be 04 ea 8c d0 09 d4 22

          bc a4 43 96 f5 43 f6 ba bf 02 2c d0 a2 99 24 33

        cipherSuite         TLS_RSA_WITH_AES_128_GCM_SHA256

        compressionMethod                   NULL

Client:

openssl s_client -connect S.S.S.S:443 -cipher 'ECDHE-RSA-AES256-GCM-SHA384:AES128-GCM-SHA256'

F5 ssldump output:

New TCP connection #2: C.C.C.C(18415) <-> S.S.S.S(443)

2 1  0.0004 (0.0004)  C>S  Handshake

      ClientHello

        Version 3.3

        cipher suites

        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

        TLS_RSA_WITH_AES_128_GCM_SHA256

        TLS_EMPTY_RENEGOTIATION_INFO_SCSV

        compression methods

                  NULL

2 2  0.0015 (0.0011)  S>C  Handshake

      ServerHello

        Version 3.3

        session_id[32]=

          9a 30 dc 8b 6e f5 d0 ee 83 f9 11 b5 d5 3d 78 77

          e2 f5 58 57 65 5b 52 33 64 1e 88 fc a6 cd c8 87

        cipherSuite         TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

        compressionMethod                   NULL

 

Any idea on how to force the server's preference would be highly appreciated.

 

Thank you.

 

Jozef

 

4 REPLIES 4

Interesting, I couldn't find a bug fix article for your version though, but i know that beginning in v15, this feature is being taken out completely, so that it honors servers cipher suite preference.

 

https://support.f5.com/csp/article/K12390

 

I think you may need an engineering hotfix for your current version or go with an upgraded version.

Try to open a support case to get confirmation from F5 Support partners.

Jozef_Hamar
Altostratus
Altostratus

Hey there,

 

thanks for confirmation. In the meantime I checked the exact same stuff on my VE LAB with the same version and there it works as expected.

 

Going to open a support case as you suggested.

Jozef_Hamar
Altostratus
Altostratus

UPDATE:

We found out that this behavior happens if using HTTP/2 profile. Once we removed it, the ciphers suites are selected based on the server's list. We are still trying to figure out how to make this work with the HTTP/2 profile in place.

thank you for reporting back