BigIP 11.6 HF4 + SSL ciphers
We've recently upgraded to 11.6 to eliminate Chrome's obsolete cryptography message. I have an iRule that is allowing me to perform Strict Transport Security (HSTS), allowing us to obtain an A+ rating from ssllabs.
The issue we're having now, is that I cannot find a suitable combination of ciphers to allow Chrome to display the following message:
The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.
I've been able to find a way to enable ECDHE_RSA as the key exchange, however the encryption that ends up being used is AES_256_CBC, resulting in the obsolete cryptography message to appear. I need to know how to get clients to prefer a GCM cipher, right?
Evidently DHE_RSA does not allow for PFS to be enabled.
Any recommendations for a cipher string?
This is what I've tried so far, with no luck:
!SSLv2:!SSLv3:!MD5:!EXPORT:ECDHE+AES:ECDHE+3DES:RSA+AES:RSA+3DES !SSLv2:!SSLv3:!MD5:!EXPORT:!SHA1:ECDHE+AES:ECDHE+3DES:RSA+AES:RSA+3DES
!LOW:!SSLv3:!MD5:!RC4-SHA:!EXPORT:DHE+AES-GCM:DHE+AES:DHE+3DES:AES-GCM+RSA:RSA+AES:RSA+3DES:ECDHE+AES-GCM:ECDHE+AES:ECDHE-RSA-DES-CBC3-SHA
I was able to obtain an A+ rating on ssllabs using the following ciphers, however now the Obsolete message is back:
ECDHE+AES-GCM:NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:!ADH:!SSLv3
Your connection to domain.com is encrypted with obsolete cryptography.
The connection uses TLS 1.2.
The connection is encrypted using AES_256_CBC, with SHA1 for message authentication and ECDHE_RSA as the key exchange mechanism.