04-Jan-2022 00:27
Hi Folks,
I have two question regarding SSL/TLS cipher and Certificate. We used the same ssl profile with same cipher suite on two different F5 VSs, and we tested SSL/TLS by Qualys SSL Labs. But we saw the different report. One of the website got the A grade, but the other website got the B grade, because the webpage didn't use the forward secrecy cipher suite. Why do we get the discrepancy report ?
The other question:
There were several WAF or Load balancer on the same network chain to handle the same traffic for the same website.
It was like there is a user send the HTTPS request through the several proxy device and final reach the website. Why the user got the certificate problem If one of the proxy which wasn't placed on the first gave the wrong ssl certificate ? Wouldn't the first proxy unit handling client side ssl handshake?
Regards,
Ding
05-Jan-2022 23:35
Hi Ding,
the first question is difficult to answer, without seeing the config or the report.
Regarding your second question - the first device that does the SSL handshake with the client is important.
Check the configuration on this device.
KR
Daniel
06-Jan-2022 00:58
Hi Daniel,
Thanks for the answer. For the question 1, we use the ssl profile with cipher '!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:-MD5:-SSLv3:-RC4:@SPEED'. But we got the two different result. Here is the report which get the B grade
Same ssl profile on another VS, but it got A grade
We think it's weird, so we have opened the technical support case, and they ask us to capture the traffic on client side respectively. We'll check it with Support to see what happen between the ssl handshake. Thanks again for the answer.
Regards,
Ding
06-Jan-2022 22:46
Hi Ding,
It's an odd behaviour. Please share the results with us.
KR
Daniel