ECC Ciphers in 11.4.1

Question

I am having some trouble getting ECDHE ciphers to function.  I am running 11.4.1 and have tried multiple cipher strings in the SSL profile, but I can't seem to get them to appear when I scan the VIP.  I always seem to get the AES-128-SHA and AES-256-SHA&nbsp;
Right now in prod I am running this on most of my servers. 
DEFAULT:!SSLv3:!RC4@STRENGTH&nbsp;
I tried adding the cipher suite but that didn't do anything&nbsp;
DEFAULT:ECDHE+AES:!SSLv3:!RC4@STRENGTH&nbsp;
I also tried doing something a little more complex.  However that didn't really change anything either.  &nbsp;
NATIVE:!MD5:!EXPORT:!3DES:!DES:!DHE:!SSLv3:!SSLv2@STRENGTH&nbsp;
The documentation says that ECC ciphers were available starting in 11.4.0.  Any help would be appreciated.&nbsp;

nathe · Answer

Mike,&nbsp;
What about if you run the following from the BIG-IP CLI?&nbsp;
tmm --clientciphers 'DEFAULT:!SSLv3:!RC4:@STRENGH' does this return possible ECDHE ciphers? My test rig is 11.5.1 and I do get ECDHE ciphers - but as you say they are included in 11.4.1.&nbsp;
Nothing else configured in the Client SSL Profile is there?&nbsp;
Hope this helps,&nbsp;
N&nbsp;

Forum Discussion

ECC Ciphers in 11.4.1

1 Reply

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

Building an OpenSSL Certificate Authority - Creating ECC Certificates

Cipher Suites Supported (12.1.5.3)

Cipher Suite Practices and Pitfalls

Real Cryptography Has Curves: Making The Case For ECC

LTM Cipher rule