Forum Discussion

Joe_Pipitone's avatar
Joe_Pipitone
Icon for Nimbostratus rankNimbostratus
May 01, 2015

BigIP 11.6 HF4 + SSL ciphers

We've recently upgraded to 11.6 to eliminate Chrome's obsolete cryptography message. I have an iRule that is allowing me to perform Strict Transport Security (HSTS), allowing us to obtain an A+ rating from ssllabs.

 

The issue we're having now, is that I cannot find a suitable combination of ciphers to allow Chrome to display the following message:

 

The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.

 

I've been able to find a way to enable ECDHE_RSA as the key exchange, however the encryption that ends up being used is AES_256_CBC, resulting in the obsolete cryptography message to appear. I need to know how to get clients to prefer a GCM cipher, right?

 

Evidently DHE_RSA does not allow for PFS to be enabled.

 

Any recommendations for a cipher string?

 

This is what I've tried so far, with no luck:

 

!SSLv2:!SSLv3:!MD5:!EXPORT:ECDHE+AES:ECDHE+3DES:RSA+AES:RSA+3DES !SSLv2:!SSLv3:!MD5:!EXPORT:!SHA1:ECDHE+AES:ECDHE+3DES:RSA+AES:RSA+3DES

 

!LOW:!SSLv3:!MD5:!RC4-SHA:!EXPORT:DHE+AES-GCM:DHE+AES:DHE+3DES:AES-GCM+RSA:RSA+AES:RSA+3DES:ECDHE+AES-GCM:ECDHE+AES:ECDHE-RSA-DES-CBC3-SHA

 

I was able to obtain an A+ rating on ssllabs using the following ciphers, however now the Obsolete message is back:

 

ECDHE+AES-GCM:NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:!ADH:!SSLv3

 

Your connection to domain.com is encrypted with obsolete cryptography.

 

The connection uses TLS 1.2.

 

The connection is encrypted using AES_256_CBC, with SHA1 for message authentication and ECDHE_RSA as the key exchange mechanism.

 

  • I think this did the trick - however now certain browsers aren't supported such as Android, IE 7/8/9/10, etc. ECDHE+AES-GCM:NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:!ADH:!SSLv3:!SHA1:@SPEED
  • BinaryCanary_19's avatar
    BinaryCanary_19
    Historic F5 Account

    I trust you read: https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171.html

     

    If you have disabled RC4, and SSLv3(protocol) and DES, and even SHA1 based ciphers, I'm not at all surprised that older android clients won't be able to connect.

     

    I think SSL Labs shows you the oldest version of android that works, and if anything newer than 2.3 would work, I personally wouldn't worry too much. Same for Windows XP -- no need to worry about an OS that it's vendor no longer supports.

     

  • BinaryCanary_19's avatar
    BinaryCanary_19
    Historic F5 Account

    By the way, it seems like you disabled everything except perhaps: ECDHE+AES-GCM.

     

    That will break a lot of software out there.

     

    Not all ciphers are considered weak.

     

    I think disabling SSLv3, MD5 and RC4 should be enough to get you A+ rating.

     

    Also, you should not adhere too strongly to SSLLabs rating.

     

    You should only be concerned about the score based on how much strength you want, vs how much older software you wish to support. RC4 and SSLv3 are generally safe to disable, as most software in the last 10 or so years should be able to do fine without these.

     

    Also, if you don't order the ciphers by Speed (@speed), then the LTM will always choose the strongest Cipher presented by the client that it also supports. I believe that if you order them by speed, then the LTM chooses the fastest Cipher that the client also supports, and not necessarily the strongest. This doesn't seem like what you want.

     

    • Joe_Pipitone's avatar
      Joe_Pipitone
      Icon for Nimbostratus rankNimbostratus
      OK great. Thank you for the explanation. This is what I'm going with for now - any suggestions? DEFAULT:!SSLv3:!MD5:!RC4:!EXPORT Do I need to specify !RC4 or !RC4-SHA? The test results came back A- stating that forward secrecy was supported with some browsers. I can live with that.
    • BinaryCanary_19's avatar
      BinaryCanary_19
      Historic F5 Account
      Yes, that is ok in my view too. Not all browsers support the ciphers that provide perfect forward secrecy, and if you were to disable ciphers that don't have PFS, then your site would be broken for those browsers or clients.
  • This is working for us to get an A+ on SSLLabs and 'is using a modern cipher suite' in chrome 44. Of course HSTS must be enabled to get the A+.

    !LOW:!SSLv3:!MD5:!RC4-SHA:!DHE:!EXPORT:ECDHE+AES-GCM:ECDHE:RSA+AES:RSA+3DES

    Here's the rational and process:

    For reference, here's the DEFAULT for 11.6:

    !LOW:!SSLv3:!MD5:!RC4-SHA:!EXPORT:DHE+AES-GCM:DHE+AES:DHE+3DES:AES-GCM+RSA:RSA+AES:RSA+3DES:ECDHE+AES-GCM:ECDHE+AES:ECDHE-RSA-DES-CBC3-SHA

    1) Starting with the exclude list from the 11.6 DEFAULT:

    !LOW:!SSLv3:!MD5:!RC4-SHA:!EXPORT

    2) Get rid of the DHE too since SSLLabs sees them as weak and there are other ciphers to support older browsers:

    !LOW:!SSLv3:!MD5:!RC4-SHA:!DHE

    3) Prioritize the elliptic curve diffie-helman cipher that chrome likes:

    !LOW:!SSLv3:!MD5:!RC4-SHA:!DHE:!EXPORT:ECDHE+AES-GCM

    4) Prioritize all other elliptic curve diffie-helman ciphers so clients prefer forward secrecy ciphers:

    !LOW:!SSLv3:!MD5:!RC4-SHA:!DHE:!EXPORT:ECDHE+AES-GCM:ECDHE

    5) Include other old ciphers from the DEFAULT to handle old Java and android browsers:

    !LOW:!SSLv3:!MD5:!RC4-SHA:!DHE:!EXPORT:ECDHE+AES-GCM:ECDHE:RSA+AES

    6) Include other old ciphers from the DEFAULT to handle IE8/XP:

    !LOW:!SSLv3:!MD5:!RC4-SHA:!DHE:!EXPORT:ECDHE+AES-GCM:ECDHE:RSA+AES:RSA+3DES

  • I'm using 11.6 HF5 and this cipher gave me an A in SSLLABS but an obsolete cipher suite in Chrome :

     

    DEFAULT:!DHE:@SPEED

     

    Whereas this cipher gave me an A- in SSLLABS (better than A) and a modern cipher suite in Chrome :

     

    DEFAULT:!SHA1:!DHE:@SPEED

     

    Problem with this last configuration is that lots of devices are becoming uncompatible (IE8-10 + Win 7 for example) ...

     

    Watch out, this is only applicable on 11.6 because "DEFAULT" is different from one version to another, cf. this doc : https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171.html

     

    I'm wondering if there is a way to please Chrome AND SSLLAB without excluding all the browsers that need SHA1 ?

     

  • This is an OLD discussion I know. I stumbled upon it by accident and thought to share my 2 cents.

    I use this
    ECDHE:DEFAULT:!DHE
    simple cipher-suite string to get an A+ rating, with only the IE6/XP combination failing to connect (as it has no support for the TLS protocol).

    What this cipher-suite string essentially does (over the default) is bring to front the ECDHE ciphers and dumps the DHE ciphers.