cancel
Showing results for 
Search instead for 
Did you mean: 

Selected Cipher in SSL profile

smalex
Altostratus
Altostratus

Based on security team recommendation, we need to avoid particular ciphers and include a particular cipher.

 

I used below line in client SSL profile.

 

DEFAULT:ECDHE-ECDSA-AES128-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:!DHE-RSA-DES-CBC3-SHA:!AES256-GCM-SHA384:!AES128-GCM-SHA256:!AES256-SHA:!AES256-SHA256:!AES128-SHA256:!AES128-SHA:!DES-CBC3-SHA:!ECDHE-RSA-AES256-CBC-SHA:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES128-CBC-SHA:!ECDHE-RSA-DES-CBC3-SHA

 

I expect ECDHE-ECDSA-AES128-SHA256 to be listed, but when scanning using online tool, I do not see this particular cipher.

Below is list detected by tool:

 

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)DH 1024 bits   FSWEAK256

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)DH 1024 bits   FSWEAK128

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)ECDH secp384r1 (eq. 7680 bits RSA)   FS256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)ECDH secp384r1 (eq. 7680 bits RSA)   FS128

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)  ECDH secp384r1 (eq. 7680 bits RSA)   FS   WEAK256

 

 

Software version: BIG-IP 12.1.5.3 Build 0.16.5 Engineering Hotfix

 

Please advise what am I missing out.

1 REPLY 1

If you use the NATIVE cipher list, do you have the same issue as for 12.1 the NATIVE list by default has ECDHE-ECDSA-AES128-SHA256 in version 12.1?

 

https://support.f5.com/csp/article/K13163