I am unable to configure f5 LTM for ECDHE-ECDSA support

Question

HI ,
  I tried configuring F5 LTM for ECDHE-ECDSA with TLS 1.2. For this purpose i used image 11.6.0. 
  F5 never responded to my client hellos. Can anyone guide me whetehr F5 supports this cipher , and if so , why it is &nbsp;
  not answering to the client hellos ?&nbsp;

kunjan · Answer

What cipher list you have configured? Try 'ALL' instead of 'DEFAULT'
[root@bigip6:Eval:Active:Standalone] config  tmm --clientciphers ALL | grep ECDHE-ECDSA 
 1: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_ECDSA
 3: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES     SHA384  ECDHE_ECDSA
 7: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1    Native  AES     SHA     ECDHE_ECDSA
 8: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.1  Native  AES     SHA     ECDHE_ECDSA
 9: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.2  Native  AES     SHA     ECDHE_ECDSA
46: 49160  ECDHE-ECDSA-DES-CBC3-SHA         192  TLS1    Native  DES     SHA     ECDHE_ECDSA
47: 49160  ECDHE-ECDSA-DES-CBC3-SHA         192  TLS1.1  Native  DES     SHA     ECDHE_ECDSA
48: 49160  ECDHE-ECDSA-DES-CBC3-SHA         192  TLS1.2  Native  DES     SHA     ECDHE_ECDSA
68: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM  SHA256  ECDHE_ECDSA
70: 49187  ECDHE-ECDSA-AES128-SHA256        128  TLS1.2  Native  AES     SHA256  ECDHE_ECDSA
74: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1    Native  AES     SHA     ECDHE_ECDSA
75: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.1  Native  AES     SHA     ECDHE_ECDSA
76: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.2  Native  AES     SHA     ECDHE_ECDSA
[root@bigip6:Eval:Active:Standalone] config  tmm --clientciphers DEFAULT | grep ECDHE-ECDSA 
[root@bigip6:Eval:Active:Standalone] config

kunjan_118660 · Answer

What cipher list you have configured? Try 'ALL' instead of 'DEFAULT'
[root@bigip6:Eval:Active:Standalone] config  tmm --clientciphers ALL | grep ECDHE-ECDSA 
 1: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_ECDSA
 3: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES     SHA384  ECDHE_ECDSA
 7: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1    Native  AES     SHA     ECDHE_ECDSA
 8: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.1  Native  AES     SHA     ECDHE_ECDSA
 9: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.2  Native  AES     SHA     ECDHE_ECDSA
46: 49160  ECDHE-ECDSA-DES-CBC3-SHA         192  TLS1    Native  DES     SHA     ECDHE_ECDSA
47: 49160  ECDHE-ECDSA-DES-CBC3-SHA         192  TLS1.1  Native  DES     SHA     ECDHE_ECDSA
48: 49160  ECDHE-ECDSA-DES-CBC3-SHA         192  TLS1.2  Native  DES     SHA     ECDHE_ECDSA
68: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM  SHA256  ECDHE_ECDSA
70: 49187  ECDHE-ECDSA-AES128-SHA256        128  TLS1.2  Native  AES     SHA256  ECDHE_ECDSA
74: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1    Native  AES     SHA     ECDHE_ECDSA
75: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.1  Native  AES     SHA     ECDHE_ECDSA
76: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.2  Native  AES     SHA     ECDHE_ECDSA
[root@bigip6:Eval:Active:Standalone] config  tmm --clientciphers DEFAULT | grep ECDHE-ECDSA 
[root@bigip6:Eval:Active:Standalone] config

nitass · Answer

are you using ec type certificate?&nbsp;
by the way, you are aware of this known issue, aren't you?&nbsp;
sol16461: ECDHE_ECDSA and DHE_DSS ciphers do not work with OpenSSL 1.0.1k and later&nbsp;
https://support.f5.com/kb/en-us/solutions/public/16000/400/sol16461.html&nbsp;
this is mine.  &nbsp;
 configuration

root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:443
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        myclientssl {
            context clientside
        }
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 28
}
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile client-ssl myclientssl
ltm profile client-ssl myclientssl {
    app-service none
    cert-key-chain {
        default {
            cert default.crt
            key default.key
        }
        ecself {
            cert ecself.crt
            key ecself.key
        }
    }
    ciphers ECDHE_ECDSA+TLSv1_2
    defaults-from clientssl
    inherit-certkeychain false
}

client

[root@bip8:Active:Standalone] config  openssl s_client -connect 172.28.24.10:443
CONNECTED(00000003)
depth=0 C = US, CN = ecself.acme.local
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, CN = ecself.acme.local
verify return:1
---
Certificate chain
 0 s:/C=US/CN=ecself.acme.local
   i:/C=US/CN=ecself.acme.local
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIBQTCB6KADAgECAgQJ+EHEMAoGCCqGSM49BAMCMCkxCzAJBgNVBAYTAlVTMRow
GAYDVQQDExFlY3NlbGYuYWNtZS5sb2NhbDAeFw0xNTA0MjEwNjI1MDhaFw0xNjA0
MjAwNjI1MDhaMCkxCzAJBgNVBAYTAlVTMRowGAYDVQQDExFlY3NlbGYuYWNtZS5s
b2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKpSXUae0onZ2idut4qc3T2G
2M5HswHo003+bwMsu1Yg2htp00pseH9SqTH1bEbQrp88xYvK2ZcIqWuWxEDuC84w
CgYIKoZIzj0EAwIDSAAwRQIgC1VXeI+TEemv3X4QqR7kUudBC9a2qYM/2J+SK0n3
B9QCIQDQGxiuat6PfQxHCv/m+1XO3x/wJltjF2nrXsDkQxMehQ==
-----END CERTIFICATE-----
subject=/C=US/CN=ecself.acme.local
issuer=/C=US/CN=ecself.acme.local
---
No client certificate CA names sent
---
SSL handshake has read 654 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
    Session-ID: CB197910DEEDB6A2DF02C59D6B5352B5FF3925FC8BB20A67C3EEE078FD78C143
    Session-ID-ctx:
    Master-Key: 42C3C2C0CDE0901EAFBD6D8EF98D814B5C8A9DBD3BC64ABF369ADCCBD0D7BDF34C28D88F9DF8A8C132773668E85E64A0
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1429607775
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
GET /

This is 101 host.

read:errno=0

trace

[root@ve11c:Active:In Sync] config  ssldump -Aed -nni 0.0 port 443
New TCP connection 1: 172.28.24.8(35590) &lt;-&gt; 172.28.24.10(443)
1 1  1429607775.4983 (0.0019)  C&gt;SV3.1(300)  Handshake
      ClientHello
        Version 3.3
        random[32]=
          69 6a e6 86 2a de 06 1c de 80 54 ac c8 10 4c d2
          b8 a8 94 77 89 62 3c af 52 aa 02 06 a6 4a 3c c3
        cipher suites
        Unknown value 0xc030
        Unknown value 0xc02c
        Unknown value 0xc028
        Unknown value 0xc024
        Unknown value 0xc014
        Unknown value 0xc00a
        Unknown value 0xa3
        Unknown value 0x9f
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
        TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        TLS_DHE_DSS_WITH_AES_256_CBC_SHA
        TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
        TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
        Unknown value 0xc032
        Unknown value 0xc02e
        Unknown value 0xc02a
        Unknown value 0xc026
        Unknown value 0xc00f
        Unknown value 0xc005
        Unknown value 0x9d
        TLS_RSA_WITH_AES_256_CBC_SHA256
        TLS_RSA_WITH_AES_256_CBC_SHA
        TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
        Unknown value 0xc02f
        Unknown value 0xc02b
        Unknown value 0xc027
        Unknown value 0xc023
        Unknown value 0xc013
        Unknown value 0xc009
        Unknown value 0xa2
        Unknown value 0x9e
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
        TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        TLS_DHE_DSS_WITH_AES_128_CBC_SHA
        Unknown value 0x9a
        Unknown value 0x99
        Unknown value 0x45
        Unknown value 0x44
        Unknown value 0xc031
        Unknown value 0xc02d
        Unknown value 0xc029
        Unknown value 0xc025
        Unknown value 0xc00e
        Unknown value 0xc004
        Unknown value 0x9c
        TLS_RSA_WITH_AES_128_CBC_SHA256
        TLS_RSA_WITH_AES_128_CBC_SHA
        Unknown value 0x96
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
        Unknown value 0xc011
        Unknown value 0xc007
        Unknown value 0xc00c
        Unknown value 0xc002
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        Unknown value 0xc012
        Unknown value 0xc008
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        Unknown value 0xc00d
        Unknown value 0xc003
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_RSA_WITH_DES_CBC_SHA
        TLS_DHE_DSS_WITH_DES_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
        TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
        TLS_RSA_EXPORT_WITH_RC4_40_MD5
        Unknown value 0xff
        compression methods
                  NULL
1 2  1429607775.4992 (0.0009)  S&gt;CV3.3(95)  Handshake
      ServerHello
        Version 3.3
        random[32]=
          49 b5 4c ac e4 2a e2 93 a2 bc fa 58 ae d6 f8 ad
          16 fb 8e 78 ea f1 34 fa c7 2e 77 f3 7b f2 d9 c9
        session_id[32]=
          cb 19 79 10 de ed b6 a2 df 02 c5 9d 6b 53 52 b5
          ff 39 25 fc 8b b2 0a 67 c3 ee e0 78 fd 78 c1 43
        cipherSuite         Unknown value 0xc02c
        compressionMethod                   NULL
1 3  1429607775.4992 (0.0000)  S&gt;CV3.3(335)  Handshake
      Certificate
1 4  1429607775.4992 (0.0000)  S&gt;CV3.3(149)  Handshake
      ServerKeyExchange
1 5  1429607775.4992 (0.0000)  S&gt;CV3.3(4)  Handshake
      ServerHelloDone
1 6  1429607775.5072 (0.0079)  C&gt;SV3.3(70)  Handshake
      ClientKeyExchange
1 7  1429607775.5072 (0.0000)  C&gt;SV3.3(1)  ChangeCipherSpec
1 8  1429607775.5072 (0.0000)  C&gt;SV3.3(40)  Handshake
1 9  1429607775.5089 (0.0016)  S&gt;CV3.3(1)  ChangeCipherSpec
1 10 1429607775.5090 (0.0000)  S&gt;CV3.3(40)  Handshake
1 11 1429607776.9673 (1.4583)  C&gt;SV3.3(30)  application_data
1 12 1429607776.9724 (0.0050)  S&gt;CV3.3(113)  application_data
1    1429607776.9724 (0.0000)  S&gt;C  TCP FIN
1 13 1429607776.9761 (0.0037)  C&gt;SV3.3(26)  Alert
1    1429607776.9766 (0.0004)  C&gt;S  TCP FIN

soumya033_19840 · Answer

I am using BIG-IP 11.6.0 Build 0.0.401 Final .

I will explain you the problem which i am facing.
I am importing the ECC certificates and KEY successfully in F5.
After that when I am trying to add them in profile I am getting an error.

!! 010717e3:3:Client SSL profile must have RSA Certificate/key pair .

I am getting this error and unable to complete profile configuration .

soumya033_19840 · Answer

I am using BIG-IP 11.6.0 Build 0.0.401 Final .

I will explain you the problem which i am facing.
I am importing the ECC certificates and KEY successfully in F5.
After that when I am trying to add them in profile I am getting an error.

!! 010717e3:3:Client SSL profile must have RSA Certificate/key pair .

I am getting this error and unable to complete profile configuration .

Forum Discussion

I am unable to configure f5 LTM for ECDHE-ECDSA support

7 Replies

Recent Discussions

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Can iRule be used to perform exception of IPI category based on Geolocation

[ASM] - what is "Browser Challange file" ?

LDAPS and renegotiation

Related Content

LTM Diameter iRules and Profile Configurations with Support for Server Initiated Request

Support and Help for DevCentral and Offline Contact

Cipher Suites Supported (12.1.5.3)

Configuring NGINX API micro-gateway to support Open Banking's Advanced FAPI security profile

Support of WAF Signature Staging in F5 Distributed Cloud (XC)