Enable additional ciphers

Question

Hi Folks, I'm fairly new to F5 and was wondering  if we can add additional ciphers to through our ssl profiles.  Currently we have Big-IP 11.5.4 and for client  and server ssl profile we have this set for the ciphers:DEFAULT:!SSLv2:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4:!MD5:!SSLv3 . I went to SSLlabs and try to scan our website and it gives me this ciphers:# TLS 1.2 (suites in server-preferred order)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)&nbsp;&nbsp;WEAK256TLS_RSA_WITH_AES_256_CBC_SHA (0x35)&nbsp;&nbsp;WEAK256TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)&nbsp;&nbsp;WEAK128TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)&nbsp;&nbsp;WEAK128TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)&nbsp;&nbsp;WEAK112TLS_RSA_WITH_RC4_128_SHA (0x5)&nbsp;&nbsp;INSECURE128TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)&nbsp;&nbsp;ECDH secp256r1 (eq. 3072 bits RSA) &nbsp; FS&nbsp;&nbsp;&nbsp;WEAK256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)&nbsp;&nbsp;ECDH secp256r1 (eq. 3072 bits RSA) &nbsp; FS&nbsp;&nbsp;&nbsp;WEAK256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)&nbsp;&nbsp;ECDH secp256r1 (eq. 3072 bits RSA) &nbsp; FS&nbsp;&nbsp;&nbsp;WEAK128TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)&nbsp;&nbsp;ECDH secp256r1 (eq. 3072 bits RSA) &nbsp; FS&nbsp;&nbsp;&nbsp;WEAK128TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)&nbsp;&nbsp;ECDH secp256r1 (eq. 3072 bits RSA) &nbsp; FS&nbsp;&nbsp;&nbsp;WEAK112
# TLS 1.1 (suites in server-preferred order)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)&nbsp;&nbsp;WEAK256TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)&nbsp;&nbsp;WEAK128TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)&nbsp;&nbsp;WEAK112TLS_RSA_WITH_RC4_128_SHA (0x5)&nbsp;&nbsp;INSECURE128TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)&nbsp;&nbsp;ECDH secp256r1 (eq. 3072 bits RSA) &nbsp; FS&nbsp;&nbsp;&nbsp;WEAK256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)&nbsp;&nbsp;ECDH secp256r1 (eq. 3072 bits RSA) &nbsp; FS&nbsp;&nbsp;&nbsp;WEAK128TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)&nbsp;&nbsp;ECDH secp256r1 (eq. 3072 bits RSA) &nbsp; FS&nbsp;&nbsp;&nbsp;WEAK112
# TLS 1.0 (suites in server-preferred order)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)&nbsp;&nbsp;WEAK256TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)&nbsp;&nbsp;WEAK128TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)&nbsp;&nbsp;WEAK112TLS_RSA_WITH_RC4_128_SHA (0x5)&nbsp;&nbsp;INSECURE128TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)&nbsp;&nbsp;ECDH secp256r1 (eq. 3072 bits RSA) &nbsp; FS&nbsp;&nbsp;&nbsp;WEAK256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)&nbsp;&nbsp;ECDH secp256r1 (eq. 3072 bits RSA) &nbsp; FS&nbsp;&nbsp;&nbsp;WEAK128TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)&nbsp;&nbsp;ECDH secp256r1 (eq. 3072 bits RSA) &nbsp; FS&nbsp;&nbsp;&nbsp;WEAK112
I was hoping to find a way if possible to add this newer ciphers through the SSL profile. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)&nbsp;&nbsp;&nbsp;ECDH x25519 (eq. 3072 bits RSA) &nbsp; FS256TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)&nbsp;&nbsp;&nbsp;ECDH x25519 (eq. 3072 bits RSA) &nbsp; FS256TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 (0xc0af)&nbsp;&nbsp;&nbsp;ECDH x25519 (eq. 3072 bits RSA) &nbsp; FS256TLS_ECDHE_ECDSA_WITH_AES_256_CCM (0xc0ad)&nbsp;&nbsp;&nbsp;ECDH x25519 (eq. 3072 bits RSA) &nbsp; FS256TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 (0xc05d)&nbsp;&nbsp;&nbsp;ECDH x25519 (eq. 3072 bits RSA) &nbsp; FS256TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)&nbsp;&nbsp;&nbsp;ECDH x25519 (eq. 3072 bits RSA) &nbsp; FS128TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (0xc0ae)&nbsp;&nbsp;&nbsp;ECDH x25519 (eq. 3072 bits RSA) &nbsp; FS128TLS_ECDHE_ECDSA_WITH_AES_128_CCM (0xc0ac)&nbsp;&nbsp;&nbsp;ECDH x25519 (eq. 3072 bits RSA) &nbsp; FS128TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 (0xc05c)&nbsp;&nbsp;&nbsp;ECDH x25519 (eq. 3072 bits RSA) &nbsp; FS128

Is this something that can be done through F5? I hope someone can share their expertise. Best,

dario_garrido · Answer

Hello Lorenze.Those ciphers should already be included in the Native suite for 11.5.4REF - https://support.f5.com/csp/article/K13163#11.5.3Check with this command:tmm --clientciphers DEFAULTHere you have an example of how to include 'ECDHE_ECDSA' on your SSL profile.REF - https://support.f5.com/csp/article/K13171#sslcipherRegards,Dario.

lorenze · Answer

Hello &nbsp;,&nbsp;Thank you for your response. I will try to update the cipher string on my client ssl profile to this one:&nbsp;DEFAULT:!SSLv2:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4:ECDHE+ECDSA:ECDHE+AES-GCM:!MD5:!SSLv3&nbsp;and see if that gives me the cipher that we need. I'll update here on how it goes. &nbsp;&nbsp;Thanks!

lorenze · Answer

So I tried updating our client ssl profile and specified this value on the cipher and did a scan on ssllabs but its not showing the ECDHE-ECDSA ciphers. Am I missing something?

DEFAULT:!SSLv2:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4:ECDHE_ECDSA:ECDHE+AES-GCM:!MD5:!SSLv3

dario_garrido · Answer

Hello Lorenze.Put this in your CLI:tmm --clientciphers DEFAULT:!SSLv2:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4:ECDHE_ECDSA:ECDHE+AES-GCM:!MD5:!SSLv3If this output shows 'ECDHE-ECDSA' ciphers, then those should be included during TLS handshake.To validate this, take a traffic capture during those tests and check the TLS client hello to see if those ciphers are included during negotiation.Regards,Dario.

dario_garrido · Answer

Hello Lorenze.&nbsp;There are some bugs regarding this kind of cipher suites.https://cdn.f5.com/product/bugtracker/ID510837.htmlhttps://cdn.f5.com/product/bugtracker/ID435055.htmlhttps://cdn.f5.com/product/bugtracker/ID503620.htmlhttps://cdn.f5.com/product/bugtracker/ID529400.html&nbsp;I guess you could be matching some of them.&nbsp;Regards,Dario.

Forum Discussion

Enable additional ciphers

7 Replies

Recent Discussions

F5 Rseries R2600 Tenant sizing

iRule help masking IBM host URL/URI

Need advise to setup a policy on F5

Advise on setting up IRULE

Help with URL Masking

Related Content

Cipher Suites Supported (12.1.5.3)

LTM Cipher rule

Cipher Suite Practices and Pitfalls

Disabling Weak Ciphers

Disabling Specific Weak Cipher Suites