TLS 1.3 on Bigip 14.1.2.3

Question

I have enabled TLS 1.3 on BigIp version 14.1.2.3 and when I run the test for the site at ssllabs the best grade I can get is a "B" with this message.

"This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B"

However when I disable TLS 1.3 I get an "A+" grade.

Any thoughts or suggestions or anyone been able to get an "A" grade after enabling TLS 1.3 ?

I have tried about a half dozen different cipher strings without success.

I am not sure what to use for DH groups or signature algorithms.

Setup is much different for TLS 1.3

my cipher string pre TLS 1.3 is @STRENGTH:!TLSv1:!3DES:ECDHE:!DHE:DEFAULT

which gets me an "A" grade at sslabs for all of my sites.

leonardo_souza · Answer

I don't know exactly what change you did to use TLS1.3, but I guess you changed the cipher to just use TLS1.3 as that is a common mistake.

That will basically enable all ciphers that TLS1.3 supports, even the less secure ones that are not enabled in the default cipher.

TLS1.3 is fully supported in the version you are using, but is disabled by default:

I would start the tests changing the cipher to DEAFULT, and enable TLS1.3 using the options list.

If does not work, see the option list, as there are also things for DH.

Also, try to get more information about which cipher the test is complaining about.

If you run the following command in your F5, it will show the list of cipher for the cipher string you are using:

tmm --client "DEFAULT"

I used default, but you could use any other cipher string.

Anyway, the version defaults are in this solution:

Also, is normally important to add some security HTTP headers to the sites.

That normally blocks you to get a A+, so I can assume you already have the headers.

Forum Discussion