Forum Discussion

Spela_317265's avatar
Spela_317265
Icon for Nimbostratus rankNimbostratus
Dec 21, 2018

Cipher string mismatch ??

Hi,

I configured SSL cipher string, to support 6 different ciphers:

config tmm --clientciphers TLSv1_2+ECDH-RSA-AES256-GCM-SHA384:TLSv1_2+ECDH-RSA-AES256-SHA384:TLSv1_2+ECDH-RSA-AES256-SHA:TLSv1_2+DHE-RSA-AES256-SHA256:TLSv1_2+DHE-RSA-AES256-SHA:TLSv1_2+DHE-RSA-AES256-GCM-SHA384

   ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX

0: 49202 ECDH-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDH_RSA

1: 49194 ECDH-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDH_RSA

2: 49167 ECDH-RSA-AES256-SHA 256 TLS1.2 Native AES SHA ECDH_RSA

3: 107 DHE-RSA-AES256-SHA256 256 TLS1.2 Native AES SHA256 EDH/RSA

4: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA

5: 159 DHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 EDH/RSA

I used that string in ClientSSL profile, but when I tested my page with SSLlabs, only ciphers 3,4,5 are supported. Any idea where is the problem??

Best regards,

Spella

  • Bear in mind that the clientssl profile is only half of the equation. Your client must also support the requested ciphers. If you take a packet capture, your client will send a client_hello informing the remote system (the BigIP in this instance) which ciphers and SSL versions (or TLS versions, more likely) it supports. The ciphers will be listed in order of preference.

     

    The Server will then select a cipher from the list offered and proceed. If your client says it only supports a couple of the ciphers you've configured the BigIP to support, then it will never select the others. By the same token, if if offers the client's preferred cipher, it may never offer any of the others.

     

    As such it is perfectly normal for the BigIP not to use all the selected ciphers. Now if you have a client that supports some of our chosen ciphers and we are refusing to initiate a connection due to unsupported ciphers, that's a different problem.

     

    In either case a packet capture should help you get to the bottom of things.

     

  • tcpdump -lnni [client side vlan] -vvvXs0 -w [file.pcap]