Forum Discussion
Danny_Arroyo
Cirrus
CirrusEnabling "Honor Cipher Order" on F5 LTM v12.X
Our SSL sites are receiving F's on ssllabs. The main reason is that we are vulnerable to the ROBOT vulnerability (We are upgrading from 12.1.1 to 12.1.3.4 tonight).
However another issue we are having is that the weak ciphers are closer to the top of the cipher list than the strong ciphers. This is the SSLlabs output:
TLS 1.2 (suites in server-preferred order)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits FS WEAK256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits FS WEAK128 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 1024 bits FS WEAK256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits FS WEAK256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits FS WEAK128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits FS WEAK128 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 1024 bits FS WEAK112 TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK256 TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK128 TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK256 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK256 TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK128 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK128 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK112 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp384r1 (eq. 7680 bits RSA) FS256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp384r1 (eq. 7680 bits RSA) FS128 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp384r1 (eq. 7680 bits RSA) FS256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp384r1 (eq. 7680 bits RSA) FS128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp384r1 (eq. 7680 bits RSA) FS128 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK112
We would like to start using this list of ciphers in order:
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
From what I have read so far, the F5 respects Cipher order from left to right and we need to use the shortnames to specify the ciphers.
Questions: (Any help is appreciated) 1. Do I change the ciphers in the default ssl_client profile? or do I change the ciphers in the DEFAULT cipher list? 2. How do I setup my list of cipher shortnames from the list above so that the F5 will use the correct ciphers in order? As a test I used "AES-GCM:AES:DES:!SSLV2:!SSLV3" in one of my VS ssl_client_profiles, but that didn't work. The cipher list on the bottom of ssllabs report was not in the correct order.
Danny_ArroyoSorry, I forgot to mention we are running an F5 LTM on v12.1.1.
boneyardMVP
i would never change something in the build in default profiles. create your own default and use that as a parent for the others.
as for working with client ciphers did you look at:
https://support.f5.com/csp/article/K17370
https://devcentral.f5.com/articles/ssl-profiles-part-4-cipher-suites
i would use the mentioned tmm command to determine the names you want to combine those together.
never worked with this but it an attempt to make it easier, although not in 12 sorry
- Danny_Arroyo
Thanks for the information Boneyard. I did read through those links before opening this discussion. However, I'm still not clear on how to create my own cipher suite.
I am looking to create a custom "DEFAULT" cipher suite, lets say "MYDEFAULT". So that I can use it in all my client and/or ssl Profiles.
Does anyone have any information on how to do this?
Or how can I add the following ciphers to a client ssl profile while keeping the order:
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
Any Help is appreciated
- boneyard
not quite sure why those articles don't help, they explain it, pretty extensive in my opinion.
you don't create a DEFAULT or MYDEFAULT, the DEFAULT is a build in set. you are able to manipulate the selection by putting certain sets there like HIGH or RC4 or DCE. with the !RC4 for example you negate a selection.
but next to the sets you can also select the specific ciphers. just put the name in the Cipher field, for example "DHE-RSA-AES256-GCM-SHA384:AES128-SHA256"
do notice from here that not all ciphers you want are possible with F5, i.e. ECDHE-ECDSA-CHACHA20-POLY1305
https://support.f5.com/csp/article/K13163
https://devcentral.f5.com/questions/enable-support-for-chacha20-poly1305-crypto
that should set you off, if it doesn't work, show the error please
- Danny_Arroyo
Forgive my lack of knowledge in this area. I have gained a much better understanding of how these ciphers work in the F5 and in general by reading through these links. Also I did find the F5 documentation that said "CHACHA" was not supported. Thanks again for the info.
But let me explain another way. Our Directory of Security wants me to allow only the following ciphers, in this order:
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
The reason is that when we test with SSLlabs, it shows our ciphers are in order from weakest to strongest. He wants it to be reverse (as in the list above).
Are you saying that I can add that list to any of my client_ssl profiles (under Ciphers)? If so, can I do something like ":DEFAULT"?
I'm testing by using the 'tmm --clientciphers (high|native|default)' command with the @strength added (and other options), but I can never get the list to come out in the order on the list above.
I'm not getting any errors, the issue is the order of my ciphers doesn't match the list above. I'm starting to believe that this cant be done.
Thanks again.
- boneyard
i apologize if i come over too strong, it was just that there didn't seem to be any progress just i read it all but it doesn't work, it seems it does work, just not exactly as wanted
if you do this
tmm --clientcipher "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"then that is the order the F5 is going to present it, same with putting that in the cipher string field.
see
[root@bigip-01:Active:Standalone] config tmm --clientcipher "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256" ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 49195 ECDHE-ECDSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_ECDSA 1: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA [root@bigip-01:Active:Standalone] config tmm --clientcipher "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256" ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 1: 49195 ECDHE-ECDSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_ECDSAstuff like @strength and such have an effect on sets, not on separate written out ciphers
so if this doesn't work for you on SSL labs you might haven't saved the profile yet or are testing against the wrong virtual server or have edited the wrong profile
- Danny_Arroyo
Thanks I'll try that.
But does that command change the cipher for all my VS's? Is there some way to test this cipher with only one VS before I apply this to all my VS's?
Also, when I use this command, do I uncheck the "Ciphers" option in my individual client ssl profiles so that any custom setting in there does not affect the negotiation?
- boneyard
the command does nothing except show you the order.
you apply this via Client SSL profiles by putting the string in the Cipher text field. And yes, you can just create one new Client SSL profile with the specific cipher string in the Cipher field and put that one virtual server.
- Danny_Arroyo
I was able to resolve this issue. For anyone having the same problem, here is what worked for me.
The problem I was still having after Boneyard's help was that i could not get a SSLLabs grade above "B" because the DHE Ciphers were 1024 bit. This made the list of Ciphers appear to not be in the proper order. I found a thread (https://devcentral.f5.com/questions/how-to-set-diffie-hellman-to-2048-bits-59024) that explains that the F5 does not support DHE 2K. So that explains why SSLLabs was giving me a "B".
I found another thread (https://devcentral.f5.com/questions/disable-specific-ssl-ciphers-on-f5-big-ip-55422) where someone had the same issue and solved it with the following cipher list: "!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:-MD5:-SSLv3:-RC4". I applied that cipher list to my ssl profile and now SSLLabs give me an "A"
To round things up, my problem was that my cipher string had DH 2048 bit ciphers and ECDHE-ECDSA-CHACHA20-POLY1305 ciphers. Neither of these ciphers are supported by the F5. Also, I did not understand the exact syntax or where the cipher string should be placed in the F5.
- boneyard
thanks for reporting back Danny, if you feel my answer helped then please flag it as such.
as for the string you use i do believe it is a bit too complex to achieve what you want, but if your are happy with it it does the trick.