Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

After Weak cipher remediation , URL not working in chrome while IE load is fine.

Chrome not able to load URL using only TLS 1.2 with SHA256 AES256.Website works fine in IE.

Are there any setting changes needed to resolve the issue?

0
Rate this Question
Comments on this Question
Comment made 1 week ago by Samir Jha 2944

Can you please share the error message which you are seeing Google chrome? I am suspecting that chrome has removed RC4 cipher in chrome v48..

0
Comment made 1 week ago by Krishna 2

err_ssl_version_or_cipher_mismatch is the error message

0
Comment made 1 week ago by Samir Jha 2944

RC4 is disabled by chrome.

Run below in chrome browser chrome://flags/#ssl-version-max

Then change the maximum TLS version enabled from default to TLS 1.3

And select tls1.3 will work. Try n confirm.

0
Comment made 1 week ago by Krishna 2

Thanks. When I tried the above option in chrome://flags/#ssl-version-max,I dont see any settings related to tls1.3 or ssl..

0
Comment made 1 week ago by Kai Wilke 7296

Hi Krishna,

please post your Client SSL Profile cipher string. Maybe we can optimize it further...

Cheers, Kai

0
Comment made 1 week ago by Samir Jha 2944

Did you selected "TLS 1.3 downgrade hardening" as an enable in chrome browser. Just try..

Image Text

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

You can take a packet capture of the ssl handshake (with ssldump) to see exactly which ciphers are being negotiated and selected.

https://support.f5.com/csp/article/K10209

Then check if you find a reference in chrome support/forum that talking about your problem.

SO first capture traffic then check with ssldump which ciphers/protocol are negotiated it will be helpfull for your to find a solution...

Regards

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Krishna,

just tested the cipher support of Chrome. Chrome does not support the cihper called AES256-SHA256 (ID 61). It does only support AES256-SHA (ID 53) or AES256-GCM-SHA384 (ID 157) if you require a (non-DH) RSA based AES256.

Qualys SSL Labs: SSL/TLS Capabilities of Your Browser

https://www.ssllabs.com/ssltest/viewMyClient.html

To workaround this limitation, I would recommend to change your cipher string to include AES256-GCM-SHA384 as well as AES256-SHA256. The GCM is considered more secure than CBC, so you will more or less increase the security of those browser who support this chiper spec.

[root@f501:Active:Standalone] / # tmm --clientcipher 'AES256-GCM-SHA384:AES256-SHA256:-SSLv3:-DTLSv1:-TLSv1:-TLSv1_1'
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA       
 1:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA 
 [root@f501:Active:Standalone] / #

Cheers, Kai

0