Question regarding the SSL/TLS cipher and Certificate

Question

Hi Folks,&nbsp;I have two question regarding SSL/TLS cipher and Certificate. We used the same ssl profile with same cipher suite on two different F5 VSs, and we tested SSL/TLS by Qualys SSL Labs. But we saw the different report. One of the website got the A grade, but the other website got the B grade, because the webpage didn't use the forward secrecy cipher suite. Why do we get the discrepancy report ?&nbsp;The other question:There were several WAF or Load balancer on the same network chain to handle the same traffic for the same website. It was like there is a user send the HTTPS request through the several proxy device and final reach the website. Why the user got the certificate problem If one of the proxy which wasn't placed on the first gave the wrong ssl certificate ? Wouldn't the first proxy unit handling client side ssl handshake?&nbsp;&nbsp;&nbsp;Regards,Ding&nbsp;

daniel_wolf · Answer

Hi Ding,&nbsp;the first question is difficult to answer, without seeing the config or the report.Regarding your second question - the first device that does the SSL handshake with the client is important.Check the configuration on this device.&nbsp;KRDaniel

_ddd · Answer

Hi Daniel,&nbsp;Thanks for the answer. For the question 1, we use the ssl profile with cipher '!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:-MD5:-SSLv3:-RC4:@SPEED'. But we got the two different result. Here is the report which get the B grade&nbsp;Same ssl profile on another VS, but it got A grade&nbsp;We think it's weird, so we have opened the technical support case, and they ask us to capture the traffic on client side respectively. We'll check it with Support to see what happen between the ssl handshake. Thanks again for the answer.&nbsp;Regards,Ding

daniel_wolf · Answer

Hi Ding,&nbsp;It's an odd behaviour. Please share the results with us.&nbsp;KRDaniel

toonva · Answer

Do you get the same result when you use&nbsp;@STRENGTH vs&nbsp;@SPEED in your cipher string?

Forum Discussion

Question regarding the SSL/TLS cipher and Certificate

4 Replies

Recent Discussions

BigIP Next - Health Monitors / Template

LDAPS and renegotiation

Need advise to setup a policy on F5

Web acceleration

What are the different phases in DevOps?

Related Content

Question & Answer: Regarding CVE-2020-5902

Re: Management Certificate

Query Regarding extramb

Automate Let's Encrypt Certificates on BIG-IP

My Security+ Certification Journey