F5 LTM 11.4.0 Cipher Suites question

 , Have you first checked what all the ciphers that your bigip would support as part of handshake when you append the above CIPHER - 'ECDHE+HIGH:HIGH:!MD5:!EXPORT:!DES:!3DES:!DHE:!EDH:!RC4:!ADH:!SSLv3:!TLSv1:!TLSv1_1:!RSA'

To check that, run the below,

tmm --clientciphers 'ECDHE+HIGH:HIGH:!MD5:!EXPORT:!DES:!3DES:!DHE:!EDH:!RC4:!ADH:!SSLv3:!TLSv1:!TLSv1_1:!RSA'

The above should list a set of CIPHERS that the LTM VS would use for negotiation. I'm sure there will be minimum of 10+ CIPHER SUITES (I see it in v13).

Your above listed CIPHER - hex value of c014 has below,

ID - 49172
SUITE - ECDHE-RSA-AES256-CBC-SHA 
BITS - 256
PROT - TLS1.2
METHOD - Native
CIPHER - AES
MAC - SHA
KEYXECDHE_RSA

If you are worrying about your overall rating on SSL Labs, you can remove a certain set of CIPHERS. But if your bigip version does not support it, you can't do much about that but to upgrade to latest version. Only AEAD CIPHERS (AES-GCM and ChaCha20-Poly1305) are the strongest in the market now.

Here's the article which shows the bigip versions supported ciphers. Looks like you are very limited with ciphers in this version.

Also its not like you need to have Tls1.3 enabled to get good rating. Even with Tls1.2 with strong ciphers you will get good rating and you will eliminate weak ciphers.

 thank you for your reply. Looks like we will need to upgrade. With everything else turned off for a reason, ECDHE-RSA-AES256-CBC-SHA is the only suite we can offer now.

MEDIUM: ECDHE:ECDHE_ECDSA:!AES:!SHA:!RC4:!EXP:!DES:!3DES:!LOW:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1:@STRENGTH

Key size allowed 128-bit and 256-bit

MAX: ECDHE:ECDHE_ECDSA:!AES:!SHA:!RC4:!EXP:!DES:!3DES:!MEDIUM:!LOW:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1:@STRENGTH

Key size allow 256-bit

If you don’t want to block those ciphers on CBC then you can use the following string(s) below

MEDIUM: ECDHE:ECDHE_ECDSA:!RC4:!EXP:!DES:!3DES:!LOW:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1:@STRENGTH

Key size allowed 128-bit and 256-bit

MAX: ECDHE:ECDHE_ECDSA:!RC4:!EXP:!DES:!3DES:!MEDIUM:!LOW:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1:@STRENGTH

Key size allow 256-bit

Explanation

• ECDHE - Allow Elliptic Curve Diffie-Hellman Ephemeral with RSA
• ECDHE_ECDSA - Allow ECDHE with Elliptic Curve Digital Signature Algorithm
• !AES - Block AES in CBC mode - 128-bit or 256-bit (needed to stop CBC ciphers)
• !SHA - Block SHA/SHA1 (needed to stop CBC ciphers)
• !RC4 - Block RC4 stream cipher
• !EXP - Block Export grade ciphers- 40-bit or 56-bit
• !DES - Block Single DES in CBC mode - 40-bit & 56-bit
• !3DES - Block Triple DES in CBC mode - 168-bit
• !LOW - Block Key size < 128bit
• !MEDIUM - Block Key size <= 128bit (only 256-bit and higher remains)
• !SSLv2 - Block SSLv2 Protocol
• !SSLv3 - Block SSLv3 Protocol
• !TLSv1 - Block TLS1.0 Protocol
• !TLSv1_1 - Block TLS1.1 Protocol
• @STRENGTH - Enforce most secure first

Personally i did multiple changes for a project to stop TLS1.0 and TLS1.1 support but i find it more easy to not include those in the cipher string but in the options of the profile. Then you have a better overview and f you save this as a "template" you can re-assign it to your clientssl profiles and so you don't need to maintain all those individual but only the "parent". With the options to block CBC you will have a guaranteed A/A+ grade on SSL Labs. Keep in mind that Windows 7 clients with IE11 don't support GCM ciphers in combination with an RSA certificate! If you want to enforce GCM for Windows 7 and IE11 you need RSA AND ECDSA certificate in one client-ssl profile in order to let a client make an handshake with ECDHE_ECDSA.

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384