SSLlabs strong ciphers only with tls 1.2 running
Hopefully this saves someone else a few hours of searching trying and reconfiguring the F5 Cipher Suites to get an "A" and only use strong ciphers with only tls 1.2 with ssllabs.com. F5's implementation of cipher suites and chosing which to use could be greatly improved for ease of use. I was able to achieve an "A" on SSLlabs.com with Strong Ciphers Only by doing the following: Note- with having only these 2 ciphers selected older versions of Internet Explorer 11 on Win 7, Win8.1, Win Phone 8.1, and Safari 6, 7, 8 cause handshake_failures. First create the rule: Under Local Traffic > Ciphers: Rules > Create Under Rule Creation> Give it a RULENAME To the right of Cipher Suites: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384 Second the group: Under Local Traffic > Ciphers: Groups > then Create Give the group a GROUPNAME, then on the right under Available Rules select the RULENAME you created and click << box and then click finish. Third - assign the group to an ssl profile: Under Local Traffic > Profiles> SSL> Client> Select your exisitng SSL Client, Ie EXAMPLE. Once within the profile click the drop down to the right of Configuration: to show Advanced. Make sure your Ciphers has a check in the box on the right. Click the drop down next to ciphers and select the GROUPNAME you created and then click Update at the bottom. ---- We were also able to achieve an "A" but with weak cipher suites showing on SSLlabs.com . We were using for our cipher suites: !NONE:!EXPORT:!DHE+AES-GCM:!DHE+AES:ECDHE+AES-GCM:ECDHE+AES:!RSA+AES-GCM:!RSA+AES:-MD5:-SSLv3:-RC4:!3DES:!TLSv1:!TLSv1_1:TLSv1_3
Recommended Exchange 2016 ciphers settings?
After setting up our Exchange 2016 environment behind the F5 using the iApp, the SSL scan through Qualys SSL Labs gave us a big red F. Started a case with F5, to get the recommended cipher settings for Exchange 2016, but Support is telling me they don't know, and can only recommend different general settings to try to get rid of insecure ciphers. So first thing I'm recommended to try is: DEFAULT:!RSA I'm really surprised over this poor support, and hoping someone else out there has an Exchange 2016 server tightened down, without tighten it too much, to still be able to use Outlook Anywhere/OWA/ActiveSync etc. If you would be willing to share your ciphers settings, it would be much appreciated!
SSLv3 Cipher support
I have a old SSL client that use the following ciphers: Secure Sockets Layer SSLv3 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: SSL 3.0 (0x0300) Length: 49 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 45 Version: SSL 3.0 (0x0300) Random Session ID Length: 0 Cipher Suites Length: 6 Cipher Suites (3 suites) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) F5 error: Jul9 15:09:19 MainFrontEnd warning tmm[11852]: 01260009:4: Connection error: ssl_hs_rxhello:7527: unsupported version (40) Packet trace error: Alert Message Level: Fatal (2) Description: Handshake Failure (40) Does F5 still support these Ciphers? Using "ALL" or insecure-compatibility ciphers does not do the trick: !SSLv2:ALL:!DH:!ADH:!EDH:@SPEED Ciphers on F5: tmsh run util clientssl-ciphers SSLv3 IDSUITEBITS PROTMETHODCIPHERMAC KEYX 0:57DHE-RSA-AES256-SHA 256SSL3NativeAES SHA EDH/RSA 1:56DHE-DSS-AES256-SHA 256SSL3NativeAES SHA DHE/DSS 2:58ADH-AES256-SHA 256SSL3NativeAES SHA ADH 3:53AES256-SHA 256SSL3NativeAES SHA RSA 4:22DHE-RSA-DES-CBC3-SHA 168SSL3NativeDES SHA EDH/RSA 5:27ADH-DES-CBC3-SHA 168SSL3NativeDES SHA ADH 6:10DES-CBC3-SHA 168SSL3NativeDES SHA RSA 7:51DHE-RSA-AES128-SHA 128SSL3NativeAES SHA EDH/RSA 8:50DHE-DSS-AES128-SHA 128SSL3NativeAES SHA DHE/DSS 9:52ADH-AES128-SHA 128SSL3NativeAES SHA ADH 10:47AES128-SHA 128SSL3NativeAES SHA RSA 11:24ADH-RC4-MD5128SSL3NativeRC4 MD5 ADH 12:21DHE-RSA-DES-CBC-SHA 64SSL3NativeDES SHA EDH/RSA 13: 5RC4-SHA128SSL3NativeRC4 SHA RSA 14: 4RC4-MD5128SSL3NativeRC4 MD5 RSA 15:26ADH-DES-CBC-SHA 64SSL3NativeDES SHA ADH 16: 9DES-CBC-SHA 64SSL3NativeDES SHA RSA 17:98EXP1024-DES-CBC-SHA 56SSL3NativeDES SHA RSA 18: 100EXP1024-RC4-SHA 56SSL3NativeRC4 SHA RSA 19: 8EXP-DES-CBC-SHA 40SSL3NativeDES SHA RSA 20: 3EXP-RC4-MD5 40SSL3NativeRC4 MD5 RSA list /sys httpd ssl-ciphersuite sys httpd { ssl-ciphersuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA } list /sys httpd ssl-protocol sys httpd { ssl-protocol "all -SSLv2 -SSLv3" }
BigIP 11.6 HF4 + SSL ciphers
We've recently upgraded to 11.6 to eliminate Chrome's obsolete cryptography message. I have an iRule that is allowing me to perform Strict Transport Security (HSTS), allowing us to obtain an A+ rating from ssllabs. The issue we're having now, is that I cannot find a suitable combination of ciphers to allow Chrome to display the following message: The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism. I've been able to find a way to enable ECDHE_RSA as the key exchange, however the encryption that ends up being used is AES_256_CBC, resulting in the obsolete cryptography message to appear. I need to know how to get clients to prefer a GCM cipher, right? Evidently DHE_RSA does not allow for PFS to be enabled. Any recommendations for a cipher string? This is what I've tried so far, with no luck: !SSLv2:!SSLv3:!MD5:!EXPORT:ECDHE+AES:ECDHE+3DES:RSA+AES:RSA+3DES !SSLv2:!SSLv3:!MD5:!EXPORT:!SHA1:ECDHE+AES:ECDHE+3DES:RSA+AES:RSA+3DES !LOW:!SSLv3:!MD5:!RC4-SHA:!EXPORT:DHE+AES-GCM:DHE+AES:DHE+3DES:AES-GCM+RSA:RSA+AES:RSA+3DES:ECDHE+AES-GCM:ECDHE+AES:ECDHE-RSA-DES-CBC3-SHA I was able to obtain an A+ rating on ssllabs using the following ciphers, however now the Obsolete message is back: ECDHE+AES-GCM:NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:!ADH:!SSLv3 Your connection to domain.com is encrypted with obsolete cryptography. The connection uses TLS 1.2. The connection is encrypted using AES_256_CBC, with SHA1 for message authentication and ECDHE_RSA as the key exchange mechanism.
How to set top priority for TLS 1.2 protocol over TLS 1.0 for client ciphers in BIG-IP v11.6.x
Problem: The F5 (version 11.6.x) establishes a TLS 1.0 connection for a client browser even if protocols TLS 1.2 and TLS 1.1 are part of the supported ciphers on both sides (client browser and F5 client-side). How can I force the F5 to use the highest protocol available? How can I reorder the ciphers/protocols to put TLS 1.2 at the top of the protocol negotiation mechanism? How does the F5 perform the TLS protocol negotiation? The cipher string: DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!SSLv3:!DTLSv1 tmm --clientciphers 'DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!SSLv3:!DTLSv1' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA 1: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA 2: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA 3: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA 4: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA 5: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA The client browser is Safari 11.1 (the latest version at time of writing).
Ciphers list '' for profile /Common/SSL_Test denies all clients
Hi folks, Need help in configuring custom ciphers to attach to the SSL profile. I've configured the Cipher rule with following ciphers and then created Cipher Group. ECDHE-ECDSA-AES256-GCM-SHA384: ECDHE-RSA-AES256-GCM-SHA384: ECDHE-ECDSA-CHACHA20-POLY1305: ECDHE-RSA-CHACHA20-POLY1305: ECDHE-ECDSA-AES128-GCM-SHA256: ECDHE-RSA-AES128-GCM-SHA256: ECDHE-ECDSA-AES256-SHA384: ECDHE-RSA-AES256-SHA384: ECDHE-ECDSA-AES128-SHA256: ECDHE-RSA-AES128-SHA256 when I am trying to add the Cipher group name to SSL profile then it gives the above error.Excluding Cipher Suites
I have been given a list of cipher suites which have been flagged as weak and crossed referenced this with the published list of ciphers for BIG-IP v12. I now need to exclude these ciphers from the default stack and whilst I am aware of the method e.g. DEFAULT:!TLSv1 I'm not sure of the string to exclude the following specifically: TLS1.2 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS1.1 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS1.0 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA Can anyone advise?Feature Request: CLI-only changes and pushing to entire enterprise
Hello DevCentral Community, I'm generally new to BIG-IQ, first of all, so please excuse me if this exists and I haven't found it yet. I have 8 HA pairs so total 16 BIG-IP virtual instances, and we're evaluating BIG-IQ to manage our environment. Something that would really help us out would be the ability to make changes to the configuration you'd normally have to do via the command line such as ciphers and custom alerts. In addition, the ability to push those changes to all devices I have discovered and managed. If this feature exists, please enlighten me, but I have not found it at this point. Thank you.