Forum Discussion

SK391_339749's avatar
SK391_339749
Icon for Nimbostratus rankNimbostratus
Dec 19, 2017

SSL Profiles - Client Side and Ciphers used.

I have a SSL parent profile ( client ) using a set of custom profiles. I've then configured 2 * SSL client side SSL profiles using this parent profile. I've then used the two SSL profiles on two separate VIPs.

 

When I run a SSL Server test using https://www.ssllabs.com/ssltest I'm getting a rating of B ( i.e good ) on one of the VIPs but a very poor rating of F on other other site.

 

The problem seems to be related to one of the SSL client side cipher being used - TLS_DH_anon_WITH_AES_256_CBC_SHA (0x3a) INSECURE

 

I trying to understand why this is being used, it's not in my Cipher list & even if it why is one profile fine but the other is not.

 

Hope this makes sense -> overall, the cipher list is listed within the parent profile which is being used in two SSL Client side profiles which seem to be behaving differently.

 

application delivery
BIG-IP
security

2 Replies

Sort By
  • jaikumar_f5's avatar
    jaikumar_f5
    Icon for MVP rankMVP
    Dec 19, 2017

    This is due to ADH enabled in the ciphers. And there could be weaker ciphers in your ciphers list.

    Try the below cipher change and test it,

    TLSv1_2:!ADH:!DES:!3DES:!RC4

    On the other hand, can you also pull this up and share to us,

    tmsh list ltm profile client-ssl ciphers

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 20, 2017

    The error that I'm getting is related to the F5 negotiating TLS_DH_anon_WITH_AES_256_CBC_SHA (0x3a)

    can you try openssl s_client using that cipher to the virtual server?

     openssl s_client -cipher ADH-AES256-SHA -connect

    ps. i assume TLS_DH_anon_WITH_AES_256_CBC_SHA is ADH-AES256-SHA according to https://www.openssl.org/docs/manmaster/man1/ciphers.html