Client cipher always wins, even with Cipher server preference option set
Hey Team, I have a requirement to prefer some server cipher suites over others (server's preference) in one of the LTM VS we use. I used a custom Cipher Suite in my Client-SSL Profile and set the "Cipher server preference" options. The F5, however, seems to ignore this option and the cipher that wins the selection is always the one on top of the Client's list. To demonstrate the issue, I used openssl s_client (below) with ssldump on the F5. I found few articles suggesting that this option is a known troublemaker, but all of it seem to describe an opposite issue: people have problems to force the Client list to be used (client's preferences). I'm running BIG-IP LTM 12.1.5.2 on 4200v platform. Client: openssl s_client -connect S.S.S.S:443 -cipher 'AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384' F5 ssldump output: New TCP connection #1: C.C.C.C(35587) <-> S.S.S.S(443) 1 1 0.0005 (0.0005) C>S Handshake ClientHello Version 3.3 cipher suites TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_EMPTY_RENEGOTIATION_INFO_SCSV compression methods NULL 1 2 0.0005 (0.0000) S>C Handshake ServerHello Version 3.3 session_id[32]= 56 bc f9 f6 ea 40 ac 1b be 04 ea 8c d0 09 d4 22 bc a4 43 96 f5 43 f6 ba bf 02 2c d0 a2 99 24 33 cipherSuite TLS_RSA_WITH_AES_128_GCM_SHA256 compressionMethod NULL Client: openssl s_client -connect S.S.S.S:443 -cipher 'ECDHE-RSA-AES256-GCM-SHA384:AES128-GCM-SHA256' F5 ssldump output: New TCP connection #2: C.C.C.C(18415) <-> S.S.S.S(443) 2 1 0.0004 (0.0004) C>S Handshake ClientHello Version 3.3 cipher suites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_EMPTY_RENEGOTIATION_INFO_SCSV compression methods NULL 2 2 0.0015 (0.0011) S>C Handshake ServerHello Version 3.3 session_id[32]= 9a 30 dc 8b 6e f5 d0 ee 83 f9 11 b5 d5 3d 78 77 e2 f5 58 57 65 5b 52 33 64 1e 88 fc a6 cd c8 87 cipherSuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 compressionMethod NULL Any idea on how to force the server's preference would be highly appreciated. Thank you. Jozef
