09-Jul-2021 06:12
I have a old SSL client that use the following ciphers:
Secure Sockets Layer
SSLv3 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: SSL 3.0 (0x0300)
Length: 49
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 45
Random
Session ID Length: 0
Cipher Suites Length: 6
Cipher Suites (3 suites)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
F5 error:
Jul 9 15:09:19 MainFrontEnd warning tmm[11852]: 01260009:4: Connection error: ssl_hs_rxhello:7527: unsupported version (40)
Packet trace error:
Alert Message
Level: Fatal (2)
Description: Handshake Failure (40)
Does F5 still support these Ciphers?
Using "ALL" or insecure-compatibility ciphers does not do the trick:
!SSLv2:ALL:!DH:!ADH:!EDH:@SPEED
Ciphers on F5:
tmsh run util clientssl-ciphers SSLv3
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 57 DHE-RSA-AES256-SHA 256 SSL3 Native AES SHA EDH/RSA
1: 56 DHE-DSS-AES256-SHA 256 SSL3 Native AES SHA DHE/DSS
2: 58 ADH-AES256-SHA 256 SSL3 Native AES SHA ADH
3: 53 AES256-SHA 256 SSL3 Native AES SHA RSA
4: 22 DHE-RSA-DES-CBC3-SHA 168 SSL3 Native DES SHA EDH/RSA
5: 27 ADH-DES-CBC3-SHA 168 SSL3 Native DES SHA ADH
6: 10 DES-CBC3-SHA 168 SSL3 Native DES SHA RSA
7: 51 DHE-RSA-AES128-SHA 128 SSL3 Native AES SHA EDH/RSA
8: 50 DHE-DSS-AES128-SHA 128 SSL3 Native AES SHA DHE/DSS
9: 52 ADH-AES128-SHA 128 SSL3 Native AES SHA ADH
10: 47 AES128-SHA 128 SSL3 Native AES SHA RSA
11: 24 ADH-RC4-MD5 128 SSL3 Native RC4 MD5 ADH
12: 21 DHE-RSA-DES-CBC-SHA 64 SSL3 Native DES SHA EDH/RSA
13: 5 RC4-SHA 128 SSL3 Native RC4 SHA RSA
14: 4 RC4-MD5 128 SSL3 Native RC4 MD5 RSA
15: 26 ADH-DES-CBC-SHA 64 SSL3 Native DES SHA ADH
16: 9 DES-CBC-SHA 64 SSL3 Native DES SHA RSA
17: 98 EXP1024-DES-CBC-SHA 56 SSL3 Native DES SHA RSA
18: 100 EXP1024-RC4-SHA 56 SSL3 Native RC4 SHA RSA
19: 8 EXP-DES-CBC-SHA 40 SSL3 Native DES SHA RSA
20: 3 EXP-RC4-MD5 40 SSL3 Native RC4 MD5 RSA
list /sys httpd ssl-ciphersuite
sys httpd {
ssl-ciphersuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA
}
list /sys httpd ssl-protocol
ssl-protocol "all -SSLv2 -SSLv3"
09-Jul-2021 06:25
Hi Adriaan,
Look at the compatibility chart according to the F5 version you are using :
https://support.f5.com/csp/article/K97098157
Regards
09-Jul-2021 06:59
RC4-MD5 seems to be the answer. Thanks.
09-Jul-2021 07:41
You're welcome .
If this answer was helpful, please don't forget to mark the answer as "Select as Best" in order to pass your post as resolved and help other people to find it 😉
