Enabling ECDHE-ECDSA Ciphers TMOS 15.1.10.x

Question

Hello,To meet security requirements, I am attempting to enable TLS 1.3 as well as turn off insecure ciphers including CBC Ciphers and all other insecure Ciphers. &nbsp;I built a Cipher Group which includes f5-secure as 'Allow', f5-secure in the 'Allowed List' and then built an 'Exclude' that includes a rule which contains the cipher string:AES:CAMELLIA:DES:RC4:AES256-GCM-SHA384:AES128-GCM-SHA256This seems to work in that it restricts all bad ciphers which I do not want available. &nbsp;When I look at the Group Audit, I see the following enabled:Cipher SuitesECDHE-RSA-AES256-GCM-SHA384/TLS1.2ECDHE-RSA-CHACHA20-POLY1305-SHA256/TLS1.2ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2ECDHE-ECDSA-CHACHA20-POLY1305-SHA256/TLS1.2TLS13-AES256-GCM-SHA384/TLS1.3TLS13-CHACHA20-POLY1305-SHA256/TLS1.3ECDHE-RSA-AES128-GCM-SHA256/TLS1.2ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2TLS13-AES128-GCM-SHA256/TLS1.3The issue I am having is when I run an NMAP scan or hit the VIP with SSL Labs, I only get 6 Ciphers which do not include the ECDHE-ECDSA ciphers which should be TLS 1.2 Ciphers. &nbsp;Under the client ssl profile, I removed the disable TLS 1.3 option, so we should be good there. &nbsp;Is there anything else that specifically needs to be enabled to allow the BigIP device to support ECDHE-ECDSA ciphers? &nbsp;Running 15.1.10.x series. &nbsp; &nbsp;Anyone have any ideas on this?

michael_saleem · Answer

Your NMAP scan will only show ECDSA ciphers if you have an ECDSA SSL certificate terminated on the VIP. I suspect that you are using an RSA SSL certificate, which is why you will only see RSA based ciphers.

psfletchthetek · Answer

Hi&nbsp;HetmanG,
Did you get this sorted? - I have had the same experiance and would agree with&nbsp;Michael_Saleem, it does seem like you are using a RSA cert so only those ciphers are being seen.

addisynward · Answer

I want to ask a similar question, can I ask it?

whisperer · Answer

I would start a separate thread, so that is more visibility and separation of issues/solutions.

whisperer · Answer

I would markMichael_Saleemreply as the solution here.

ECDSA ciphers require that the server has an ECC certificate. It is likely that you have only a RSA certificate though (which is the common case), which means that ECDSA ciphers will not be supported even if they are configured.

Forum Discussion

Enabling ECDHE-ECDSA Ciphers TMOS 15.1.10.x

5 Replies

Recent Discussions

Need help on CLI command to fetch < VIP Name + current connections >

Glycogen Control Australia Is Right For You See Here

APM combine check for ldap group plus IP ACL

Error in REST https call to get the Auth token v15.1.8

Incosistent forwarding of HTTP/2 connections with layered virtual

Related Content

SIGSEGV on 15.1.10.x

Enable telnet on SSH

Enable SAML Service Provider on F5 Distributed Cloud Application

SSL Orchestrator Advanced Use Cases: Enabling GCloud Organization Restrictions

enable WebSocket profile.