Enable additional ciphers

lorenze · ‎27-Jan-2021

Hi Folks,

I'm fairly new to F5 and was wondering if we can add additional ciphers to through our ssl profiles. Currently we have Big-IP 11.5.4 and for client and server ssl profile we have this set for the ciphers:DEFAULT:!SSLv2:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4:!MD5:!SSLv3 . I went to SSLlabs and try to scan our website and it gives me this ciphers:

# TLS 1.2 (suites in server-preferred order)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)  WEAK256TLS_RSA_WITH_AES_256_CBC_SHA (0x35)  WEAK256TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)  WEAK128TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)  WEAK128TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)  WEAK112TLS_RSA_WITH_RC4_128_SHA (0x5)  INSECURE128TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)  ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)  ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)  ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK128TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)  ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK128TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)  ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK112
# TLS 1.1 (suites in server-preferred order)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)  WEAK256TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)  WEAK128TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)  WEAK112TLS_RSA_WITH_RC4_128_SHA (0x5)  INSECURE128TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)  ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)  ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK128TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)  ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK112
# TLS 1.0 (suites in server-preferred order)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)  WEAK256TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)  WEAK128TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)  WEAK112TLS_RSA_WITH_RC4_128_SHA (0x5)  INSECURE128TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)  ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)  ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK128TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)  ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK112

I was hoping to find a way if possible to add this newer ciphers through the SSL profile.

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)   ECDH x25519 (eq. 3072 bits RSA)   FS256TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)   ECDH x25519 (eq. 3072 bits RSA)   FS256TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 (0xc0af)   ECDH x25519 (eq. 3072 bits RSA)   FS256TLS_ECDHE_ECDSA_WITH_AES_256_CCM (0xc0ad)   ECDH x25519 (eq. 3072 bits RSA)   FS256TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 (0xc05d)   ECDH x25519 (eq. 3072 bits RSA)   FS256TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   ECDH x25519 (eq. 3072 bits RSA)   FS128TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (0xc0ae)   ECDH x25519 (eq. 3072 bits RSA)   FS128TLS_ECDHE_ECDSA_WITH_AES_128_CCM (0xc0ac)   ECDH x25519 (eq. 3072 bits RSA)   FS128TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 (0xc05c)   ECDH x25519 (eq. 3072 bits RSA)   FS128

Is this something that can be done through F5? I hope someone can share their expertise.

Best,

Dario_Garrido · ‎27-Jan-2021

Hello Lorenze.

Those ciphers should already be included in the Native suite for 11.5.4

REF - https://support.f5.com/csp/article/K13163#11.5.3

Check with this command:

tmm --clientciphers DEFAULT

Here you have an example of how to include 'ECDHE_ECDSA' on your SSL profile.

REF - https://support.f5.com/csp/article/K13171#sslcipher

Regards,

Dario.

Regards,
Dario.

lorenze · ‎27-Jan-2021

Hello ,

Thank you for your response. I will try to update the cipher string on my client ssl profile to this one:

DEFAULT:!SSLv2:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4:ECDHE+ECDSA:ECDHE+AES-GCM:!MD5:!SSLv3

and see if that gives me the cipher that we need. I'll update here on how it goes.

Thanks!

lorenze · ‎27-Jan-2021

So I tried updating our client ssl profile and specified this value on the cipher and did a scan on ssllabs but its not showing the ECDHE-ECDSA ciphers. Am I missing something?

DEFAULT:!SSLv2:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4:ECDHE_ECDSA:ECDHE+AES-GCM:!MD5:!SSLv3

Dario_Garrido · ‎27-Jan-2021

Hello Lorenze.

Put this in your CLI:

tmm --clientciphers DEFAULT:!SSLv2:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4:ECDHE_ECDSA:ECDHE+AES-GCM:!MD5:!SSLv3

If this output shows 'ECDHE-ECDSA' ciphers, then those should be included during TLS handshake.

To validate this, take a traffic capture during those tests and check the TLS client hello to see if those ciphers are included during negotiation.

Regards,

Dario.

Regards,
Dario.

Dario_Garrido · ‎27-Jan-2021

Hello Lorenze.

There are some bugs regarding this kind of cipher suites.

https://cdn.f5.com/product/bugtracker/ID510837.html

https://cdn.f5.com/product/bugtracker/ID435055.html

https://cdn.f5.com/product/bugtracker/ID503620.html

https://cdn.f5.com/product/bugtracker/ID529400.html

I guess you could be matching some of them.

Regards,

Dario.

Regards,
Dario.

lorenze · ‎28-Jan-2021

Hi ,

Thank you for your response. It could be a bug as mentioned, I hope there is another workaround to enable any of the TLS_ECDHE_ECDSA** ciphers as this is also one of your clients cipher requirement. Appreciate your response.

Thanks,

Dario_Garrido · ‎28-Jan-2021

Hello Lorenze.

To confirm you are facing a bug, you can configure your client SSL profile to use only 'ECDHE_ECDSA' ciphers.

# tmm --clientciphers ECDHE_ECDSA
       ID  SUITE                            BITS PROT    CIPHER              MAC     KEYX
 0: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  AES-GCM             SHA256  ECDHE_ECDSA
 1: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1   AES                 SHA     ECDHE_ECDSA
 2: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.1  AES                 SHA     ECDHE_ECDSA
 3: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.2  AES                 SHA     ECDHE_ECDSA
 4: 49187  ECDHE-ECDSA-AES128-SHA256        128  TLS1.2  AES                 SHA256  ECDHE_ECDSA
 5: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  AES-GCM             SHA384  ECDHE_ECDSA
 6: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1   AES                 SHA     ECDHE_ECDSA
 7: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.1  AES                 SHA     ECDHE_ECDSA
 8: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.2  AES                 SHA     ECDHE_ECDSA
 9: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  AES                 SHA384  ECDHE_ECDSA
10: 52393  ECDHE-ECDSA-CHACHA20-POLY1305-SHA256   256  TLS1.2  CHACHA20-POLY1305   NULL    ECDHE_ECDSA
11: 49160  ECDHE-ECDSA-DES-CBC3-SHA         168  TLS1   DES                 SHA     ECDHE_ECDSA
12: 49160  ECDHE-ECDSA-DES-CBC3-SHA         168  TLS1.1  DES                 SHA     ECDHE_ECDSA
13: 49160  ECDHE-ECDSA-DES-CBC3-SHA         168  TLS1.2  DES                 SHA     ECDHE_ECDSA

To do so, just replace 'DEFAULT' by 'ECDHE_ECDSA' in Ciphers section and try again.

If you get an error during this connection it's because you facing some bug.

Some extra messages could be displayed in /var/log/ltm.

Anyway, have you checked that your cert allows you for using 'ecdhe-ecdsa'?

"When configuring an SSL profile, if an ecdhe-ecdsa cipher is selected in the 'ciphers' field, make sure ecdhe-ecdsa key/cert is also configured."

REF - https://cdn.f5.com/product/bugtracker/ID529400.html

Regards,

Dario.

Regards,
Dario.

DevCentral

Enable additional ciphers

Sep 26th, 2023
MFA required on DevCentral

DevCentral

Enable additional ciphers

Sep 26th, 2023MFA required on DevCentral

Sep 26th, 2023
MFA required on DevCentral