Enabling ECDHE-ECDSA Ciphers TMOS 15.1.10.x
Hello,
To meet security requirements, I am attempting to enable TLS 1.3 as well as turn off insecure ciphers including CBC Ciphers and all other insecure Ciphers. I built a Cipher Group which includes f5-secure as 'Allow', f5-secure in the 'Allowed List' and then built an 'Exclude' that includes a rule which contains the cipher string:
AES:CAMELLIA:DES:RC4:AES256-GCM-SHA384:AES128-GCM-SHA256
This seems to work in that it restricts all bad ciphers which I do not want available. When I look at the Group Audit, I see the following enabled:
Cipher Suites
ECDHE-RSA-AES256-GCM-SHA384/TLS1.2
ECDHE-RSA-CHACHA20-POLY1305-SHA256/TLS1.2
ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2
ECDHE-ECDSA-CHACHA20-POLY1305-SHA256/TLS1.2
TLS13-AES256-GCM-SHA384/TLS1.3
TLS13-CHACHA20-POLY1305-SHA256/TLS1.3
ECDHE-RSA-AES128-GCM-SHA256/TLS1.2
ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2
TLS13-AES128-GCM-SHA256/TLS1.3
The issue I am having is when I run an NMAP scan or hit the VIP with SSL Labs, I only get 6 Ciphers which do not include the ECDHE-ECDSA ciphers which should be TLS 1.2 Ciphers. Under the client ssl profile, I removed the disable TLS 1.3 option, so we should be good there. Is there anything else that specifically needs to be enabled to allow the BigIP device to support ECDHE-ECDSA ciphers? Running 15.1.10.x series.
Anyone have any ideas on this?