Forum Discussion

Cirrus

Sep 12, 2023

Solved

Cipher Suites Supported (12.1.5.3)

Hi, I am trying to adjust the SSL profile of a service to get grade A in SSL Labs.
The machine the virtual server runs on is:
---
Sys::Version
Main Package
Product BIG-IP
Version 12.1.5.3
Build 0.16.5
Edition Engineering Hotfix
Date Tue Mar 9 12:02:22 PST 2021

Hotfix List
ID625156-1
---

The problem is that I can't find the F5 resource where to see the cipher suites supported by this version.
If you look at this url, only 12.1.3 appears:

https://my.f5.com/manage/s/article/K13163#12.0.0

- SSL Labs test:

"This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B."

Any help will be welcome

Thank you very much, best regards

security

Enes_Afsin_Al
Sep 12, 2023
Hi Martin182,

No new cipher suites have been added for versions 12.1.4 and 12.1.5.

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-bigip-12-1-4.html#asm_rn_new
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-bigip-12-1-5.html#rn_new

You can view all ciphers with the following command from cli.

tmm --clientciphers all

You can use the "!DHE:!DH" string to remove DHE and DH key exchange parameters from the cipher suite. Or you can use only "ECDHE+AES-GCM" cipher suite.

7 Replies

Enes_Afsin_Al
MVP
Sep 12, 2023
Hi Martin182,

No new cipher suites have been added for versions 12.1.4 and 12.1.5.

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-bigip-12-1-4.html#asm_rn_new
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-bigip-12-1-5.html#rn_new

You can view all ciphers with the following command from cli.

tmm --clientciphers all

You can use the "!DHE:!DH" string to remove DHE and DH key exchange parameters from the cipher suite. Or you can use only "ECDHE+AES-GCM" cipher suite.
- Martin182
  Cirrus
  Sep 12, 2023
  Hi Enes, first of all thank you for your reply 🙂
  You mean to enter as string in the ciphers field only ECDHE+AES-GCM right ?
  My current string is:
  ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256
  But I don't know why only 6 of them appear in the SSL Labs test and not all 8.
  - Enes_Afsin_Al
    MVP
    Sep 12, 2023
    Hi,
    
    When you enter "ECDHE+AES-GCM", the following cipher suites match:
    
    ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384
    
    You cannot view cipher suites containing ECDSA ciphers on ssllabs. Because the signature algorithm of the SSL Certificate is RSA.
    
    ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256
    
    K10340213: ECDSA ciphers not being shown at SSLabs test
    https://my.f5.com/manage/s/article/K10340213
PSFletchTheTek
Cumulonimbus
Sep 13, 2023
Just check your ssl config, there is a cyhper config hidden under a Basic/advanced filter in the profile that might not be fully locked down.

I had something very simular. in v14. and it was more on the ssl config than what was supported.
- Martin182
  Cirrus
  Sep 13, 2023
  You mean the cipher rules/groups?, they are not available on this version, I think the first one to implement them is v13.
  - PSFletchTheTek
    Cumulonimbus
    Sep 14, 2023
    O, sorry i started my f5 works at late v13 straight into v14 about 2 months later.
    So it looks like its a feature that's appeared in that time!