Client cipher always wins, even with Cipher server preference option set
Hey Team,
I have a requirement to prefer some server cipher suites over others (server's preference) in one of the LTM VS we use. I used a custom Cipher Suite in my Client-SSL Profile and set the "Cipher server preference" options. The F5, however, seems to ignore this option and the cipher that wins the selection is always the one on top of the Client's list. To demonstrate the issue, I used openssl s_client (below) with ssldump on the F5. I found few articles suggesting that this option is a known troublemaker, but all of it seem to describe an opposite issue: people have problems to force the Client list to be used (client's preferences).
I'm running BIG-IP LTM 12.1.5.2 on 4200v platform.
Client:
openssl s_client -connect S.S.S.S:443 -cipher 'AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384'
F5 ssldump output:
New TCP connection #1: C.C.C.C(35587) <-> S.S.S.S(443)
1 1 0.0005 (0.0005) C>S Handshake
ClientHello
Version 3.3
cipher suites
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
compression methods
NULL
1 2 0.0005 (0.0000) S>C Handshake
ServerHello
Version 3.3
session_id[32]=
56 bc f9 f6 ea 40 ac 1b be 04 ea 8c d0 09 d4 22
bc a4 43 96 f5 43 f6 ba bf 02 2c d0 a2 99 24 33
cipherSuite TLS_RSA_WITH_AES_128_GCM_SHA256
compressionMethod NULL
Client:
openssl s_client -connect S.S.S.S:443 -cipher 'ECDHE-RSA-AES256-GCM-SHA384:AES128-GCM-SHA256'
F5 ssldump output:
New TCP connection #2: C.C.C.C(18415) <-> S.S.S.S(443)
2 1 0.0004 (0.0004) C>S Handshake
ClientHello
Version 3.3
cipher suites
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
compression methods
NULL
2 2 0.0015 (0.0011) S>C Handshake
ServerHello
Version 3.3
session_id[32]=
9a 30 dc 8b 6e f5 d0 ee 83 f9 11 b5 d5 3d 78 77
e2 f5 58 57 65 5b 52 33 64 1e 88 fc a6 cd c8 87
cipherSuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
compressionMethod NULL
Any idea on how to force the server's preference would be highly appreciated.
Thank you.
Jozef