RSA key exchange is obsolete. Enable an ECDHE-based cipher suite

Question

HI,&nbsp;we have recently noticed that we are getting the following error in Chrome when browsing to services hosted on F5:Connection -&nbsp;obsolete connection settingsThe connection to this site is encrypted and authenticated using TLS 1.2, RSA, and AES_256_GCM.RSA key exchange is obsolete. Enable an ECDHE-based cipher suite&nbsp;now I have double checked and our F5 does have ECDHE-based ciphers suite and its a ltest version of google chrome. does any one know what might be causing this? if so, we can we fix this?&nbsp;&nbsp;or is there anyway to prioritise certain cipher suites? instead of disabling the weak ones.&nbsp;&nbsp;Regards,&nbsp;&nbsp;

nag · Answer

Hi Qasim,&nbsp;You are seeing that message as  RSA is being used as key exchange algorithm.  You should consider using ECDHE_RSA for key exchange instead. &nbsp;Here is how I would solve it.&nbsp;Requirements:1)  force the use of  TLS 1.22) Disable RSA as Key exchange algorithm&nbsp;Steps:1)  go to Client SSL profile you want to edit.&nbsp;2)  Select Advanced Configuration and tick customisation button for Ciphers.&nbsp;3) Copy and paste the following string DEFAULT:!TLSv1:!TLSv1_1:!TLSv1_3:!DTLSv1:!DHE:!RSA&nbsp;Following is the screenshot of client SSL profile I have created to illustrate to you.&nbsp;Hope this helps.&nbsp;Please let me know if you have any questions.&nbsp;-Nag

qasim · Answer

Hi Nag,&nbsp;&nbsp;Many thanks for your help.&nbsp;Kind regards,Qasim

Forum Discussion

RSA key exchange is obsolete. Enable an ECDHE-based cipher suite

2 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

I'm Sorry Sir, You're Obsolete

Exchange 2016

MS Exchange ProxyNotShell block implemented via iRules

Exchange 2019

Increase DH key exchange to 2048