cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Enable additional ciphers

lorenze
Altocumulus
Altocumulus

Hi Folks,

 

 

I'm fairly new to F5 and was wondering if we can add additional ciphers to through our ssl profiles. Currently we have Big-IP 11.5.4 and for client and server ssl profile we have this set for the ciphers:DEFAULT:!SSLv2:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4:!MD5:!SSLv3 . I went to SSLlabs and try to scan our website and it gives me this ciphers:

 

# TLS 1.2 (suites in server-preferred order) TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)  WEAK256TLS_RSA_WITH_AES_256_CBC_SHA (0x35)  WEAK256TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)  WEAK128TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)  WEAK128TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)  WEAK112TLS_RSA_WITH_RC4_128_SHA (0x5)  INSECURE128TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)  ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)  ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)  ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK128TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)  ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK128TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)  ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK112 # TLS 1.1 (suites in server-preferred order) TLS_RSA_WITH_AES_256_CBC_SHA (0x35)  WEAK256TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)  WEAK128TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)  WEAK112TLS_RSA_WITH_RC4_128_SHA (0x5)  INSECURE128TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)  ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)  ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK128TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)  ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK112 # TLS 1.0 (suites in server-preferred order) TLS_RSA_WITH_AES_256_CBC_SHA (0x35)  WEAK256TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)  WEAK128TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)  WEAK112TLS_RSA_WITH_RC4_128_SHA (0x5)  INSECURE128TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)  ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)  ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK128TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)  ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK112

 

I was hoping to find a way if possible to add this newer ciphers through the SSL profile.

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)   ECDH x25519 (eq. 3072 bits RSA)   FS256TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)   ECDH x25519 (eq. 3072 bits RSA)   FS256TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 (0xc0af)   ECDH x25519 (eq. 3072 bits RSA)   FS256TLS_ECDHE_ECDSA_WITH_AES_256_CCM (0xc0ad)   ECDH x25519 (eq. 3072 bits RSA)   FS256TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 (0xc05d)   ECDH x25519 (eq. 3072 bits RSA)   FS256TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   ECDH x25519 (eq. 3072 bits RSA)   FS128TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (0xc0ae)   ECDH x25519 (eq. 3072 bits RSA)   FS128TLS_ECDHE_ECDSA_WITH_AES_128_CCM (0xc0ac)   ECDH x25519 (eq. 3072 bits RSA)   FS128TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 (0xc05c)   ECDH x25519 (eq. 3072 bits RSA)   FS128

 

Is this something that can be done through F5? I hope someone can share their expertise.

 

 

Best,

7 REPLIES 7

Hello Lorenze.

 

Those ciphers should already be included in the Native suite for 11.5.4

REF - https://support.f5.com/csp/article/K13163#11.5.3

 

Check with this command:

tmm --clientciphers DEFAULT

Here you have an example of how to include 'ECDHE_ECDSA' on your SSL profile.

REF - https://support.f5.com/csp/article/K13171#sslcipher

 

Regards,

Dario.

Regards,
Dario.

Hello  ,

 

Thank you for your response. I will try to update the cipher string on my client ssl profile to this one:

 

DEFAULT:!SSLv2:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4:ECDHE+ECDSA:ECDHE+AES-GCM:!MD5:!SSLv3

 

and see if that gives me the cipher that we need. I'll update here on how it goes.

 

 

Thanks!

So I tried updating our client ssl profile and specified this value on the cipher and did a scan on ssllabs but its not showing the ECDHE-ECDSA ciphers. Am I missing something?

 

DEFAULT:!SSLv2:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4:ECDHE_ECDSA:ECDHE+AES-GCM:!MD5:!SSLv3

Hello Lorenze.

 

Put this in your CLI:

tmm --clientciphers DEFAULT:!SSLv2:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4:ECDHE_ECDSA:ECDHE+AES-GCM:!MD5:!SSLv3

If this output shows 'ECDHE-ECDSA' ciphers, then those should be included during TLS handshake.

 

To validate this, take a traffic capture during those tests and check the TLS client hello to see if those ciphers are included during negotiation.

 

Regards,

Dario.

Regards,
Dario.

Hello Lorenze.

 

There are some bugs regarding this kind of cipher suites.

https://cdn.f5.com/product/bugtracker/ID510837.html

https://cdn.f5.com/product/bugtracker/ID435055.html

https://cdn.f5.com/product/bugtracker/ID503620.html

https://cdn.f5.com/product/bugtracker/ID529400.html

 

I guess you could be matching some of them.

 

Regards,

Dario.

Regards,
Dario.

Hi  ,

 

 

Thank you for your response. It could be a bug as mentioned, I hope there is another workaround to enable any of the TLS_ECDHE_ECDSA** ciphers as this is also one of your clients cipher requirement. Appreciate your response.

 

 

Thanks,

Hello Lorenze.

 

To confirm you are facing a bug, you can configure your client SSL profile to use only 'ECDHE_ECDSA' ciphers.

# tmm --clientciphers ECDHE_ECDSA ID SUITE BITS PROT CIPHER MAC KEYX 0: 49195 ECDHE-ECDSA-AES128-GCM-SHA256 128 TLS1.2 AES-GCM SHA256 ECDHE_ECDSA 1: 49161 ECDHE-ECDSA-AES128-SHA 128 TLS1 AES SHA ECDHE_ECDSA 2: 49161 ECDHE-ECDSA-AES128-SHA 128 TLS1.1 AES SHA ECDHE_ECDSA 3: 49161 ECDHE-ECDSA-AES128-SHA 128 TLS1.2 AES SHA ECDHE_ECDSA 4: 49187 ECDHE-ECDSA-AES128-SHA256 128 TLS1.2 AES SHA256 ECDHE_ECDSA 5: 49196 ECDHE-ECDSA-AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 ECDHE_ECDSA 6: 49162 ECDHE-ECDSA-AES256-SHA 256 TLS1 AES SHA ECDHE_ECDSA 7: 49162 ECDHE-ECDSA-AES256-SHA 256 TLS1.1 AES SHA ECDHE_ECDSA 8: 49162 ECDHE-ECDSA-AES256-SHA 256 TLS1.2 AES SHA ECDHE_ECDSA 9: 49188 ECDHE-ECDSA-AES256-SHA384 256 TLS1.2 AES SHA384 ECDHE_ECDSA 10: 52393 ECDHE-ECDSA-CHACHA20-POLY1305-SHA256 256 TLS1.2 CHACHA20-POLY1305 NULL ECDHE_ECDSA 11: 49160 ECDHE-ECDSA-DES-CBC3-SHA 168 TLS1 DES SHA ECDHE_ECDSA 12: 49160 ECDHE-ECDSA-DES-CBC3-SHA 168 TLS1.1 DES SHA ECDHE_ECDSA 13: 49160 ECDHE-ECDSA-DES-CBC3-SHA 168 TLS1.2 DES SHA ECDHE_ECDSA

To do so, just replace 'DEFAULT' by 'ECDHE_ECDSA' in Ciphers section and try again.

If you get an error during this connection it's because you facing some bug.

Some extra messages could be displayed in /var/log/ltm.

 

Anyway, have you checked that your cert allows you for using 'ecdhe-ecdsa'?

"When configuring an SSL profile, if an ecdhe-ecdsa cipher is selected in the 'ciphers' field, make sure ecdhe-ecdsa key/cert is also configured."

REF - https://cdn.f5.com/product/bugtracker/ID529400.html

 

Regards,

Dario.

Regards,
Dario.