NimbostratusSoftware: BIG-IP version:big-ip 11.4.1 Hardware: big-ip 3600 When I configured it according to the official documentation(https://support.f5.com/csp/article/K13171TLSv1.2), I found that it did not take effect.
Nimbostratus
I can see from this picture that my configuration does not take effect.
Nimbostratusthis is the config
EmployeeYou're using TLSv1.2. The problem is that you're using RSA and AES128-SHA. The negotiated cipher is:
AES128-SHA
RSA is an obsolete key exchange and doesn't provide forward secrecy, and SHA1 is an obsolete hmac. You can see exactly what ciphers are included in "TLSv1_2" by using the command line:
tmm --clientciphers 'TLSv1_2'
You'll definitely see RSA and SHA1 in that list. Any cipher that doesn't start with the key exchange (ex. DHE-RSA, ECDHE-RSA, etc.) is an RSA key exchange (ex. AES256-SHA). And "SHA" means SHA1. So there are few options. You could start with 'DEFAULT' and remove RSA, SHA and older TLS protocols,
DEFAULT:!RSA:!SHA
or you could start the 'TLSv1_2 and simply remove RSA and SHA:
TLSv1_2:!RSA:!SHA
Definitely take a look at this list on the command line, as the latter option may also include some undesirable options like ADH (anonymous Diffie-Hellman) and ECDH (non-ephemeral elliptic curve Diffie-Hellman). Starting with the DEFAULT string will automatically remove insecure ciphers.
Most likely you cannot use the cipher string: "TLSv1_2:!RSA:!SHA" because there will be no available ciphers left. Best way to check is through the CLI.
Can you check what ciphers you get from that cipherstring by running the following command?
tmm --clientcipher 'TLSv1_2:!SHA:!RSA'You're right. Based on https://support.f5.com/csp/article/K1316311.4.1, there are NO ciphers available that don't either do (non-PFS) RSA key exchange or use SHA1. There are two that use SHA256, and seven that don't use RSA, but none of these overlap.
Minimally you need to upgrade to 11.5.1 to get the cipher combinations that you want. There are several ciphers in this version that satisfy the requirements.