Forum Discussion

Adriaan's avatar
Adriaan
Icon for Nimbostratus rankNimbostratus
Jul 09, 2021

SSLv3 Cipher support

I have a old SSL client that use the following ciphers:

Secure Sockets Layer

  SSLv3 Record Layer: Handshake Protocol: Client Hello

    Content Type: Handshake (22)

    Version: SSL 3.0 (0x0300)

    Length: 49

    Handshake Protocol: Client Hello

      Handshake Type: Client Hello (1)

      Length: 45

      Version: SSL 3.0 (0x0300)

      Random

      Session ID Length: 0

      Cipher Suites Length: 6

      Cipher Suites (3 suites)

        Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)

        Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)

        Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

      Compression Methods Length: 1

      Compression Methods (1 method)

        Compression Method: null (0)

 

 

F5 error:

Jul 9 15:09:19 MainFrontEnd warning tmm[11852]: 01260009:4: Connection error: ssl_hs_rxhello:7527: unsupported version (40)

 

Packet trace error:

    Alert Message

      Level: Fatal (2)

      Description: Handshake Failure (40)

 

Does F5 still support these Ciphers?

 

Using "ALL" or insecure-compatibility ciphers does not do the trick:

!SSLv2:ALL:!DH:!ADH:!EDH:@SPEED

 

Ciphers on F5:

tmsh run util clientssl-ciphers SSLv3

    ID SUITE              BITS PROT  METHOD CIPHER  MAC   KEYX

 0:  57 DHE-RSA-AES256-SHA        256 SSL3  Native AES    SHA   EDH/RSA  

 1:  56 DHE-DSS-AES256-SHA        256 SSL3  Native AES    SHA   DHE/DSS  

 2:  58 ADH-AES256-SHA          256 SSL3  Native AES    SHA   ADH    

 3:  53 AES256-SHA            256 SSL3  Native AES    SHA   RSA    

 4:  22 DHE-RSA-DES-CBC3-SHA       168 SSL3  Native DES    SHA   EDH/RSA  

 5:  27 ADH-DES-CBC3-SHA         168 SSL3  Native DES    SHA   ADH    

 6:  10 DES-CBC3-SHA           168 SSL3  Native DES    SHA   RSA    

 7:  51 DHE-RSA-AES128-SHA        128 SSL3  Native AES    SHA   EDH/RSA  

 8:  50 DHE-DSS-AES128-SHA        128 SSL3  Native AES    SHA   DHE/DSS  

 9:  52 ADH-AES128-SHA          128 SSL3  Native AES    SHA   ADH    

10:  47 AES128-SHA            128 SSL3  Native AES    SHA   RSA    

11:  24 ADH-RC4-MD5           128 SSL3  Native RC4    MD5   ADH    

12:  21 DHE-RSA-DES-CBC-SHA        64 SSL3  Native DES    SHA   EDH/RSA  

13:   5 RC4-SHA             128 SSL3  Native RC4    SHA   RSA    

14:   4 RC4-MD5             128 SSL3  Native RC4    MD5   RSA    

15:  26 ADH-DES-CBC-SHA          64 SSL3  Native DES    SHA   ADH    

16:   9 DES-CBC-SHA            64 SSL3  Native DES    SHA   RSA    

17:  98 EXP1024-DES-CBC-SHA        56 SSL3  Native DES    SHA   RSA    

18:  100 EXP1024-RC4-SHA          56 SSL3  Native RC4    SHA   RSA    

19:   8 EXP-DES-CBC-SHA          40 SSL3  Native DES    SHA   RSA    

20:   3 EXP-RC4-MD5            40 SSL3  Native RC4    MD5   RSA  

 

list /sys httpd ssl-ciphersuite

sys httpd {

  ssl-ciphersuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA

}

 

list /sys httpd ssl-protocol

sys httpd {

  ssl-protocol "all -SSLv2 -SSLv3"

}