Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Selected Cipher in SSL profile

smalex
Altostratus
Altostratus

‎24-Mar-2021 02:18 - last edited on ‎05-Jun-2023 20:06 by Fog

Based on security team recommendation, we need to avoid particular ciphers and include a particular cipher.

I used below line in client SSL profile.

DEFAULT:ECDHE-ECDSA-AES128-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:!DHE-RSA-DES-CBC3-SHA:!AES256-GCM-SHA384:!AES128-GCM-SHA256:!AES256-SHA:!AES256-SHA256:!AES128-SHA256:!AES128-SHA:!DES-CBC3-SHA:!ECDHE-RSA-AES256-CBC-SHA:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES128-CBC-SHA:!ECDHE-RSA-DES-CBC3-SHA

I expect ECDHE-ECDSA-AES128-SHA256 to be listed, but when scanning using online tool, I do not see this particular cipher.

Below is list detected by tool:

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)DH 1024 bits   FSWEAK256

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)DH 1024 bits   FSWEAK128

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)ECDH secp384r1 (eq. 7680 bits RSA)   FS256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)ECDH secp384r1 (eq. 7680 bits RSA)   FS128

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (

0xc028
)  ECDH secp384r1 (eq. 7680 bits RSA)   FS   WEAK256

Software version: BIG-IP 12.1.5.3 Build 0.16.5 Engineering Hotfix

Please advise what am I missing out.

Labels:
0 Kudos
1 REPLY 1

Nikoolayy1
MVP
MVP

‎24-Mar-2021 06:13

If you use the NATIVE cipher list, do you have the same issue as for 12.1 the NATIVE list by default has ECDHE-ECDSA-AES128-SHA256 in version 12.1?

 

https://support.f5.com/csp/article/K13163

0 Kudos
Copyright © 2023 Khoros, LLC