cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Question regarding the SSL/TLS cipher and Certificate

_DDD
Nimbostratus
Nimbostratus

Hi Folks,

 

I have two question regarding SSL/TLS cipher and Certificate. We used the same ssl profile with same cipher suite on two different F5 VSs, and we tested SSL/TLS by Qualys SSL Labs. But we saw the different report. One of the website got the A grade, but the other website got the B grade, because the webpage didn't use the forward secrecy cipher suite. Why do we get the discrepancy report ?

 

The other question:

There were several WAF or Load balancer on the same network chain to handle the same traffic for the same website.

It was like there is a user send the HTTPS request through the several proxy device and final reach the website. Why the user got the certificate problem If one of the proxy which wasn't placed on the first gave the wrong ssl certificate ? Wouldn't the first proxy unit handling client side ssl handshake?

 

0691T00000F8eVKQAZ.jpg 

 

Regards,

Ding

 

4 REPLIES 4

Hi Ding,

 

the first question is difficult to answer, without seeing the config or the report.

Regarding your second question - the first device that does the SSL handshake with the client is important.

Check the configuration on this device.

 

KR

Daniel

_DDD
Nimbostratus
Nimbostratus

Hi Daniel,

 

Thanks for the answer. For the question 1, we use the ssl profile with cipher '!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:-MD5:-SSLv3:-RC4:@SPEED'. But we got the two different result. Here is the report which get the B grade

0691T00000F8k33QAB.png 

Same ssl profile on another VS, but it got A grade

0691T00000F8k3qQAB.png 

We think it's weird, so we have opened the technical support case, and they ask us to capture the traffic on client side respectively. We'll check it with Support to see what happen between the ssl handshake. Thanks again for the answer.

 

Regards,

Ding

Hi Ding,

 

It's an odd behaviour. Please share the results with us.

 

KR

Daniel

ToonVA
Cirrus
Cirrus

Do you get the same result when you use @STRENGTH vs @SPEED in your cipher string?