cancel
Showing results for 
Search instead for 
Did you mean: 

RSA key exchange is obsolete. Enable an ECDHE-based cipher suite

Qasim
Cirrostratus
Cirrostratus

HI,

 

we have recently noticed that we are getting the following error in Chrome when browsing to services hosted on F5:

Connection - obsolete connection settings

The connection to this site is encrypted and authenticated using TLS 1.2, RSA, and AES_256_GCM.

  • RSA key exchange is obsolete. Enable an ECDHE-based cipher suite

 

now I have double checked and our F5 does have ECDHE-based ciphers suite and its a ltest version of google chrome. does any one know what might be causing this? if so, we can we fix this?

 

 

or is there anyway to prioritise certain cipher suites? instead of disabling the weak ones.

 

 

Regards,

 

 

2 REPLIES 2

NAG
Cirrostratus
Cirrostratus

Hi Qasim,

 

You are seeing that message as RSA is being used as key exchange algorithm. You should consider using ECDHE_RSA for key exchange instead.

 

Here is how I would solve it.

 

Requirements:

1) force the use of TLS 1.2

2) Disable RSA as Key exchange algorithm

 

Steps:

1) go to Client SSL profile you want to edit.

 

2) Select Advanced Configuration and tick customisation button for Ciphers.

 

3) Copy and paste the following string

DEFAULT:!TLSv1:!TLSv1_1:!TLSv1_3:!DTLSv1:!DHE:!RSA

 

Following is the screenshot of client SSL profile I have created to illustrate to you.

 

Hope this helps.

 

Please let me know if you have any questions.

 

-Nag

Qasim
Cirrostratus
Cirrostratus

Hi Nag,

 

 

Many thanks for your help.

 

Kind regards,

Qasim