Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

How to get Perfect Forward Secrecy ( PFS ) in v11.2.1 HF13

Hi,

I have recently installed F5 v11.2.1 HF13 to remediate Poodle and RC4. Which has been done. But we still are unable to enable PFS.

According to https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-ltm-11-2-1.html PFS should be enabled Natively.

The CIPHER I am using is DEFAULT:!SSLv3:!RC4 to get a A-.

Which CIPHER settings should I use to add PFS and achieve a A+.

Many thanks.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

This other thread should help you. I don't think the minor version difference will be an issue: https://devcentral.f5.com/questions/enabling-pfs

0
Comments on this Answer
Comment made 23-Apr-2015 by Moinul Rony 113
Thanks -- But I am specifically after version 11.2.1 HF3 -- Even thought it says the version already has PFS enabled CIPHER -- SSL Labs says otherwise. Thanks for the thread link -- but I have already went through that page. Cheers
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

So does using the cipher strings in that article not help? Have you actually tried?

Do you need ONLY ciphers that support PFS?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

The CIPHER I am using is DEFAULT:!SSLv3:!RC4 to get a A-.
Which CIPHER settings should I use to add PFS and achieve a A+.

i think DHE is included in 11.2.1 but it is not included in default cipher. can you try 'DHE:!SSLv3'?

[root@B4200-R77-S7:Active:Standalone] config # tmsh show sys version | head

Sys::Version
Main Package
  Product  BIG-IP
  Version  11.2.1
  Build    1306.0
  Edition  Hotfix HF13
  Date     Wed Dec  3 15:05:53 PST 2014

[root@B4200-R77-S7:Active:Standalone] config # tmm --clientcipher 'DEFAULT:!SSLv3:!RC4'
     ID SUITE                          BITS  PROT  METHOD CIPHER MAC    KEYX
 0:  47 AES128-SHA                      128  TLS1  Native AES    SHA    RSA
 1:  47 AES128-SHA                      128  TLS1.1  Native AES    SHA    RSA
 2:  47 AES128-SHA                      128  TLS1.2  Native AES    SHA    RSA
 3:  47 AES128-SHA                      128  DTLS1  Native AES    SHA    RSA
 4:  53 AES256-SHA                      256  TLS1  Native AES    SHA    RSA
 5:  53 AES256-SHA                      256  TLS1.1  Native AES    SHA    RSA
 6:  53 AES256-SHA                      256  TLS1.2  Native AES    SHA    RSA
 7:  53 AES256-SHA                      256  DTLS1  Native AES    SHA    RSA
 8:  10 DES-CBC3-SHA                    192  TLS1  Native DES    SHA    RSA
 9:  10 DES-CBC3-SHA                    192  TLS1.1  Native DES    SHA    RSA
10:  10 DES-CBC3-SHA                    192  TLS1.2  Native DES    SHA    RSA
11:  10 DES-CBC3-SHA                    192  DTLS1  Native DES    SHA    RSA
12:  60 AES128-SHA256                   128  TLS1.2  Native AES    SHA256 RSA
13:  61 AES256-SHA256                   256  TLS1.2  Native AES    SHA256 RSA
[root@B4200-R77-S7:Active:Standalone] config #
[root@B4200-R77-S7:Active:Standalone] config # tmm --clientcipher 'DHE:!SSLv3'
     ID SUITE                          BITS  PROT  METHOD CIPHER MAC    KEYX
 0:  51 DHE-RSA-AES128-SHA              128  TLS1  Native AES    SHA    EDH/RSA
 1:  51 DHE-RSA-AES128-SHA              128  TLS1.1  Native AES    SHA    EDH/RSA
 2:  51 DHE-RSA-AES128-SHA              128  TLS1.2  Native AES    SHA    EDH/RSA
 3:  51 DHE-RSA-AES128-SHA              128  DTLS1  Native AES    SHA    EDH/RSA
 4:  57 DHE-RSA-AES256-SHA              256  TLS1  Native AES    SHA    EDH/RSA
 5:  57 DHE-RSA-AES256-SHA              256  TLS1.1  Native AES    SHA    EDH/RSA
 6:  57 DHE-RSA-AES256-SHA              256  TLS1.2  Native AES    SHA    EDH/RSA
 7:  57 DHE-RSA-AES256-SHA              256  DTLS1  Native AES    SHA    EDH/RSA
 8:  21 DHE-RSA-DES-CBC-SHA              64  TLS1  Native DES    SHA    EDH/RSA
 9:  21 DHE-RSA-DES-CBC-SHA              64  TLS1.1  Native DES    SHA    EDH/RSA
10:  21 DHE-RSA-DES-CBC-SHA              64  TLS1.2  Native DES    SHA    EDH/RSA
11:  21 DHE-RSA-DES-CBC-SHA              64  DTLS1  Native DES    SHA    EDH/RSA
12:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1  Native DES    SHA    EDH/RSA
13:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1.1  Native DES    SHA    EDH/RSA
14:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1.2  Native DES    SHA    EDH/RSA
15:  22 DHE-RSA-DES-CBC3-SHA            192  DTLS1  Native DES    SHA    EDH/RSA
0
Comments on this Answer
Comment made 26-Apr-2015 by Moinul Rony 113
Thanks. But its not working. Using DHE:!SSLv3 - downgrades to a B, with Cipher Strength going down to 60. Using Native I get a 'F' ~ # tmm --clientcipher 'NATIVE:!SSLv3:!RC4' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 1: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 2: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 3: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 4: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 5: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 6: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 7: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 8: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 9: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA 10: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 11: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 12: 9 DES-CBC-SHA 64 TLS1 Native DES SHA RSA 13: 9 DES-CBC-SHA 64 TLS1.1 Native DES SHA RSA 14: 9 DES-CBC-SHA 64 TLS1.2 Native DES SHA RSA 15: 9 DES-CBC-SHA 64 DTLS1 Native DES SHA RSA 16: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA 17: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA 18: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA 19: 51 DHE-RSA-AES128-SHA 128 DTLS1 Native AES SHA EDH/RSA 20: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA 21: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA 22: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA 23: 57 DHE-RSA-AES256-SHA 256 DTLS1 Native AES SHA EDH/RSA 24: 21 DHE-RSA-DES-CBC-SHA 64 TLS1 Native DES SHA EDH/RSA 25: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.1 Native DES SHA EDH/RSA 26: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.2 Native DES SHA EDH/RSA 27: 21 DHE-RSA-DES-CBC-SHA 64 DTLS1 Native DES SHA EDH/RSA 28: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA EDH/RSA 29: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA EDH/RSA 30: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA EDH/RSA 31: 22 DHE-RSA-DES-CBC3-SHA 192 DTLS1 Native DES SHA EDH/RSA 32: 98 EXP1024-DES-CBC-SHA 56 TLS1 Native DES SHA RSA 33: 98 EXP1024-DES-CBC-SHA 56 TLS1.1 Native DES SHA RSA 34: 98 EXP1024-DES-CBC-SHA 56 TLS1.2 Native DES SHA RSA 35: 98 EXP1024-DES-CBC-SHA 56 DTLS1 Native DES SHA RSA 36: 8 EXP-DES-CBC-SHA 40 TLS1 Native DES SHA RSA 37: 8 EXP-DES-CBC-SHA 40 TLS1.1 Native DES SHA RSA 38: 8 EXP-DES-CBC-SHA 40 TLS1.2 Native DES SHA RSA 39: 8 EXP-DES-CBC-SHA 40 DTLS1 Native DES SHA RSA 40: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 41: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA
0
Comment made 07-Sep-2016 by uzi 0

Hi Moinul,

Did you ever get PFS working on 11.2.1? I'm in the same situation right now and would appreciate any guidance.

Thanks!

0