cancel
Showing results for 
Search instead for 
Did you mean: 

Issues with cipher suites

Ferry
Nimbostratus
Nimbostratus

Hi there,

 

I'm trying to get a tight set of supported ciphers and have explicitly named them. Some don't show up however and have issues determining why.

 

Anyone know why they don't show up?

 

In the client-ssl profile I've explicitly set cipher suites to:

TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:!TLSv1_1:!TLSv1:!SSLv3:!SSLv2

 

More readable:

 

TLS13-AES256-GCM-SHA384

TLS13-AES128-GCM-SHA256

TLS13-CHACHA20-POLY1305-SHA256

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-RSA-CHACHA20-POLY1305-SHA256

ECDHE-RSA-AES256-SHA384

ECDHE-RSA-AES128-SHA256

DHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES128-GCM-SHA256

!TLSv1_1

!TLSv1

!SSLv3

!SSLv2

 

But I only get offered:

 

Preferred TLSv1.3  128 bits  TLS_AES_128_GCM_SHA256        Curve 25519 DHE 253

Accepted  TLSv1.3  256 bits  TLS_AES_256_GCM_SHA384        Curve 25519 DHE 253

Preferred TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 DHE 256

Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve P-256 DHE 256

Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256     DHE 1024 bits

Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-GCM-SHA384     DHE 1024 bits

 

 

Am missing:

TLS13-CHACHA20-POLY1305-SHA256

 

ECDHE-RSA-CHACHA20-POLY1305-SHA256

ECDHE-RSA-AES256-SHA384

ECDHE-RSA-AES128-SHA256

 

any ideas how to get those active?

 

TIA

1 REPLY 1

Ferry
Nimbostratus
Nimbostratus

Would appear it's due to our ACLs.

 

I can actually enter cipher suites in a profile and I will actually see them after doing so.

 

Upon refreshing it seems to get the suites from a parent profile however. Appears I'm not actually allowed to set them.