Forum Discussion

JD1's avatar
JD1
Icon for Altostratus rankAltostratus
Dec 13, 2017
Solved

TMUI / Configuration WebUI - TLS/SSL Configuration - ECDHE

Hi All,

I'm currently using BIG-IP 11.6.2 HF1.

I'm required to secure the Management WebUI ciphers offered out.

I'd prefer to drop all key exchange methods except for ECDHE.

However, it seems 

modify sys httpd ssl-ciphersuite
doesn't seem to acknowledge the existence of ECDHE.

openssl ciphers -v
identifies the presence, which I believe 
sys httpd ssl-ciphersuite
utilises instead of tmm's cipher suites (since the sys httpd process runs outside of tmm), so I'd expect Apache HTTPd's mod_ssl would be leveraging this.

So my question is, in three parts:

  • Why doesn't 
    sys httpd ssl-ciphersuite
    recognise ECDHE?
  • Is there anyway to utilize ECDHE on 
    sys httpd
    on 11.6.2 HF1?
  • Does 12.x support this?

Many thanks,

JD

BIG-IP
ecdhe
security
TMOS
tmui
  • nitass's avatar
    nitass
    Dec 21, 2017

    But the point being is that the command sys httpd ssl-ciphersuite on 11.6.x, doesn't seem to then correctly configure Apache services to use this for the TMUI.

     

    i understand this has been corrected in 12.0.

     

12 Replies

Sort By
  • Ashwin_Venkat_1's avatar
    Ashwin_Venkat_1
    Historic F5 Account
    Dec 14, 2017

    Hi JD,

     

    It is possible to disable all cipher suites other than the ones using ECDHE by appending ':!kDH:!kEDH:!kRSA' (without the quotes) to your cipher string within httpd. That should disable all DH, EDH/DHE, RSA key exchange based cipher suites. We need to specify the 'k' when enabling/disabling a certain key exchange when you modify the string on httpd, as it's based on the openssl stack. When enabling/disabling them within the SSL profiles, you don't need to specify that, because that is natively built into TMM and you can simply specify ':!DHE:!DH:!RSA' (without the quotes) to disable those key exchange based cipher suites.

     

    Please let me know if this answers your question.

     

    • JD1's avatar
      JD1
      Icon for Altostratus rankAltostratus
      Dec 14, 2017

      Hi Ashwin,

       

      Thanks for the reply.

       

      ECDHE needs to be there to begin with though, and isn't. It looks like 12.x does have it when I took it to lab. But I currently need it in 11.6.2.

       

      As for SSL profiles, I'm not looking at/referring to SSL profiles as this is outside of TMM and is Apache via mod_ssl (configured via the sys httpd ssl-ciphersuites).

       

      If there's anyway to enable ECDHE for Apache/Mod_SSL on 11.6.2, I'm all ears.

       

      Thanks,

       

      JD

       

    • Ashwin_Venkat_1's avatar
      Ashwin_Venkat_1
      Historic F5 Account
      Dec 21, 2017

      Hello JD,

      We do see that ECDHE based cipher suites being available on httpd for 11.6.x when I run the following command:

      openssl ciphers -v 'DEFAULT:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP'

      If you see ECDHE not working in 11.6.x, then that is likely due to the older version of mod_ssl being used there. We have since upgraded the mod_ssl package in 12.x, which is why you see it there. In any case, the answer to your question is no. We don't support updating components/packages like mod_ssl.

    • JD1's avatar
      JD1
      Icon for Altostratus rankAltostratus
      Dec 21, 2017

      Hi Ashwin,

      Absolutely, I also see openssl ciphers show the availability of ECDHE in the compiled openssl version (mentioned in original question).

      But the point being is that the command 

      sys httpd ssl-ciphersuite
      on 11.6.x, doesn't seem to then correctly configure Apache services to use this for the TMUI.

      I think you're confirming my suspicions, with mod_ssl possibly being outdated.

      (If you want to update your original answer, I'll mark as solved by it and accept we have to upgrade).

      Thanks,

      JD

  • Ashwin_Venkat's avatar
    Ashwin_Venkat
    Icon for Employee rankEmployee
    Dec 14, 2017

    Hi JD,

     

    It is possible to disable all cipher suites other than the ones using ECDHE by appending ':!kDH:!kEDH:!kRSA' (without the quotes) to your cipher string within httpd. That should disable all DH, EDH/DHE, RSA key exchange based cipher suites. We need to specify the 'k' when enabling/disabling a certain key exchange when you modify the string on httpd, as it's based on the openssl stack. When enabling/disabling them within the SSL profiles, you don't need to specify that, because that is natively built into TMM and you can simply specify ':!DHE:!DH:!RSA' (without the quotes) to disable those key exchange based cipher suites.

     

    Please let me know if this answers your question.

     

    • JD1's avatar
      JD1
      Icon for Altostratus rankAltostratus
      Dec 14, 2017

      Hi Ashwin,

       

      Thanks for the reply.

       

      ECDHE needs to be there to begin with though, and isn't. It looks like 12.x does have it when I took it to lab. But I currently need it in 11.6.2.

       

      As for SSL profiles, I'm not looking at/referring to SSL profiles as this is outside of TMM and is Apache via mod_ssl (configured via the sys httpd ssl-ciphersuites).

       

      If there's anyway to enable ECDHE for Apache/Mod_SSL on 11.6.2, I'm all ears.

       

      Thanks,

       

      JD

       

    • Ashwin_Venkat's avatar
      Ashwin_Venkat
      Icon for Employee rankEmployee
      Dec 21, 2017

      Hello JD,

      We do see that ECDHE based cipher suites being available on httpd for 11.6.x when I run the following command:

      openssl ciphers -v 'DEFAULT:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP'

      If you see ECDHE not working in 11.6.x, then that is likely due to the older version of mod_ssl being used there. We have since upgraded the mod_ssl package in 12.x, which is why you see it there. In any case, the answer to your question is no. We don't support updating components/packages like mod_ssl.

    • JD1's avatar
      JD1
      Icon for Altostratus rankAltostratus
      Dec 21, 2017

      Hi Ashwin,

      Absolutely, I also see openssl ciphers show the availability of ECDHE in the compiled openssl version (mentioned in original question).

      But the point being is that the command 

      sys httpd ssl-ciphersuite
      on 11.6.x, doesn't seem to then correctly configure Apache services to use this for the TMUI.

      I think you're confirming my suspicions, with mod_ssl possibly being outdated.

      (If you want to update your original answer, I'll mark as solved by it and accept we have to upgrade).

      Thanks,

      JD

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 21, 2017

    But the point being is that the command sys httpd ssl-ciphersuite on 11.6.x, doesn't seem to then correctly configure Apache services to use this for the TMUI.

     

    i understand this has been corrected in 12.0.

     

    • JD1's avatar
      JD1
      Icon for Altostratus rankAltostratus
      Dec 21, 2017

      Yes, it has. I have tested that. It looks like my only option.

       

      That's fine, just a bit more planning.

       

  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Dec 21, 2017

    But the point being is that the command sys httpd ssl-ciphersuite on 11.6.x, doesn't seem to then correctly configure Apache services to use this for the TMUI.

     

    i understand this has been corrected in 12.0.

     

    • JD1's avatar
      JD1
      Icon for Altostratus rankAltostratus
      Dec 21, 2017

      Yes, it has. I have tested that. It looks like my only option.

       

      That's fine, just a bit more planning.