BigIP 11.6 HF4 + SSL ciphers
We've recently upgraded to 11.6 to eliminate Chrome's obsolete cryptography message. I have an iRule that is allowing me to perform Strict Transport Security (HSTS), allowing us to obtain an A+ rating from ssllabs. The issue we're having now, is that I cannot find a suitable combination of ciphers to allow Chrome to display the following message: The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism. I've been able to find a way to enable ECDHE_RSA as the key exchange, however the encryption that ends up being used is AES_256_CBC, resulting in the obsolete cryptography message to appear. I need to know how to get clients to prefer a GCM cipher, right? Evidently DHE_RSA does not allow for PFS to be enabled. Any recommendations for a cipher string? This is what I've tried so far, with no luck: !SSLv2:!SSLv3:!MD5:!EXPORT:ECDHE+AES:ECDHE+3DES:RSA+AES:RSA+3DES !SSLv2:!SSLv3:!MD5:!EXPORT:!SHA1:ECDHE+AES:ECDHE+3DES:RSA+AES:RSA+3DES !LOW:!SSLv3:!MD5:!RC4-SHA:!EXPORT:DHE+AES-GCM:DHE+AES:DHE+3DES:AES-GCM+RSA:RSA+AES:RSA+3DES:ECDHE+AES-GCM:ECDHE+AES:ECDHE-RSA-DES-CBC3-SHA I was able to obtain an A+ rating on ssllabs using the following ciphers, however now the Obsolete message is back: ECDHE+AES-GCM:NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:!ADH:!SSLv3 Your connection to domain.com is encrypted with obsolete cryptography. The connection uses TLS 1.2. The connection is encrypted using AES_256_CBC, with SHA1 for message authentication and ECDHE_RSA as the key exchange mechanism.
TMOS SSL TLS Cipher Cheat Sheet
Hi, for ease of use I summarized the content of a previous post into a printable format (available as PDF in letter and european A4 format) via the following external links: TMOS SSL TLS Cipher Cheat Sheet v0.1 (Letter) TMOS SSL TLS Cipher Cheat Sheet v0.1 (A4) The content of both PDFs (version 0.1) is shown below. Page 1/4: Page 2/4: Page 3/4: Page 4/4: I started working with another editor to crunch the size of the next PDFs. The next version will contain fixes and additions based on community feedback. Thanks, StephanLog SSL Cipher Version and User Agent Info
Hi I need to log if there are connections using SSLv3 Cipher before disabling it. I'm using this code: when CLIENTSSL_HANDSHAKE { ISTATS::incr "ltm.virtual [virtual name] c [SSL::cipher version]" 1 } if { ( [SSL::cipher version] contains "SSL" ) or ( [SSL::cipher name] contains "RC4" ) or ( [SSL::cipher bits] < 128 ) } then { set invalid_ssl 1 } else { set invalid_ssl 0 } } That way I get the usage of the different Cipher versions but there isn't any information about OS or Browser. That info is in [HTTP::header User-Agent] but can't be used inside CLIENTSSL_HANDSHAKE. It could be done in HTTP_REQUEST but it would be executed serveral times for the same session and the stats wouldn't be reliable How could I log the Cipher Version and User-Agent data just once for each session? Thanks
