Forum Discussion

lostmyspaceship's avatar
lostmyspaceship
Icon for Nimbostratus rankNimbostratus
Nov 18, 2014

TLS 1.2 and PFS on 10.2.4

Hi guys, I have a problem enabling both TLS 1.2 and PFS on a 10.2.4 unit. Using the following string should do it in theory:

COMPAT:+TLSv1_2:EDH:!MD5:!EXPORT:!ADH:!DES:!RC4:!SSLv3:@STRENGTH

And tmm --clientcipher says it does:

 0:  57 DHE-RSA-AES256-SHA              256  TLS1  Compat AES    SHA    EDH/RSA
 1:  57 DHE-RSA-AES256-SHA              256  DTLS1  Compat AES    SHA    EDH/RSA
 2:  57 DHE-RSA-AES256-SHA              256  TLS1.2  Compat AES    SHA    EDH/RSA
 3:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1  Compat DES    SHA    EDH/RSA
 4:  22 DHE-RSA-DES-CBC3-SHA            192  DTLS1  Compat DES    SHA    EDH/RSA
 5:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1.2  Compat DES    SHA    EDH/RSA
 6:  51 DHE-RSA-AES128-SHA              128  TLS1  Compat AES    SHA    EDH/RSA
 7:  51 DHE-RSA-AES128-SHA              128  DTLS1  Compat AES    SHA    EDH/RSA
 8:  51 DHE-RSA-AES128-SHA              128  TLS1.2  Compat AES    SHA    EDH/RSA

However SSLlabs and other tools say that TLS 1.2 is not supported. Any idea what i'm doing wrong?

Thanks in advance.

8 Replies

  • Hmmm, TLS 1.2 support was introduced with v10.2.3 so this should work. However, I wonder if the use of COMPAT in the issue. Is there a reason you are using it?

     

  • I'm using COMPAT because of the PFS, it seems PFS is not available in the NATIVE stack. It's strange though that with COMPAT tmm says both TLS1.2 and PFS should be there, and they aren't.

     

  • Wouldn't EDH:!SSLv3:!DES:@STRENGTH yield the same results as the string you used, and be simpler? (I don't have a 10.2 box to confirm)

     

    What happens if you test using this one instead EDH+TLSv1_2:EDH:!SSLv3:!DES:@STRENGTH

     

    • lostmyspaceship's avatar
      lostmyspaceship
      Icon for Nimbostratus rankNimbostratus
      It seems I have to use either COMPAT, NATIVE, or DEFAULT in order to get any ciphers when I check it withe tmm. I also do not want MD5, RC4, Anon DH and Export grade. Adding all those results in my original string, except the explicit mention of TLSv1_2: COMPAT:!EXPORT:EDH:!ADH:!MD5:!RC4:!SSLv3:!DES:@STRENGTH tmm shows TLS 1.2, but SSLLabs and others still do not see it. tmm --clientcipher 'COMPAT:!EXPORT:EDH:!ADH:!MD5:!RC4:!SSLv3:!DES:@STRENGTH' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 57 DHE-RSA-AES256-SHA 256 TLS1 Compat AES SHA EDH/RSA 1: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Compat AES SHA EDH/RSA 2: 57 DHE-RSA-AES256-SHA 256 DTLS1 Compat AES SHA EDH/RSA 3: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1 Compat DES SHA EDH/RSA 4: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.2 Compat DES SHA EDH/RSA 5: 22 DHE-RSA-DES-CBC3-SHA 192 DTLS1 Compat DES SHA EDH/RSA 6: 51 DHE-RSA-AES128-SHA 128 TLS1 Compat AES SHA EDH/RSA 7: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Compat AES SHA EDH/RSA 8: 51 DHE-RSA-AES128-SHA 128 DTLS1 Compat AES SHA EDH/RSA
    • lostmyspaceship's avatar
      lostmyspaceship
      Icon for Nimbostratus rankNimbostratus
      Nothing: tmm --clientcipher 'EDH:!SSLv3:!DES:@STRENGTH' ID SUITE BITS PROT METHOD CIPHER MAC KEYX tmm --clientcipher 'EDH+TLSv1_2:EDH:!SSLv3:!DES:@STRENGTH' ID SUITE BITS PROT METHOD CIPHER MAC KEYX
    • lostmyspaceship's avatar
      lostmyspaceship
      Icon for Nimbostratus rankNimbostratus
      And with COMPAT added it adds all the other stuff that isn't needed: g tmm --clientcipher 'COMPAT:EDH:!SSLv3:!DES:@STRENGTH' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 58 ADH-AES256-SHA 256 TLS1 Compat AES SHA ADH 1: 58 ADH-AES256-SHA 256 TLS1.2 Compat AES SHA ADH 2: 58 ADH-AES256-SHA 256 DTLS1 Compat AES SHA ADH 3: 57 DHE-RSA-AES256-SHA 256 TLS1 Compat AES SHA EDH/RSA 4: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Compat AES SHA EDH/RSA 5: 57 DHE-RSA-AES256-SHA 256 DTLS1 Compat AES SHA EDH/RSA 6: 27 ADH-DES-CBC3-SHA 192 TLS1 Compat DES SHA ADH 7: 27 ADH-DES-CBC3-SHA 192 TLS1.2 Compat DES SHA ADH 8: 27 ADH-DES-CBC3-SHA 192 DTLS1 Compat DES SHA ADH 9: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1 Compat DES SHA EDH/RSA 10: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.2 Compat DES SHA EDH/RSA 11: 22 DHE-RSA-DES-CBC3-SHA 192 DTLS1 Compat DES SHA EDH/RSA 12: 0 DES-CBC3-MD5 192 SSL2 Compat DES MD5 RSA 13: 24 ADH-RC4-MD5 128 TLS1 Compat RC4 MD5 ADH 14: 24 ADH-RC4-MD5 128 TLS1.2 Compat RC4 MD5 ADH 15: 52 ADH-AES128-SHA 128 TLS1 Compat AES SHA ADH 16: 52 ADH-AES128-SHA 128 TLS1.2 Compat AES SHA ADH 17: 52 ADH-AES128-SHA 128 DTLS1 Compat AES SHA ADH 18: 51 DHE-RSA-AES128-SHA 128 TLS1 Compat AES SHA EDH/RSA 19: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Compat AES SHA EDH/RSA 20: 51 DHE-RSA-AES128-SHA 128 DTLS1 Compat AES SHA EDH/RSA 21: 0 RC4-MD5 128 SSL2 Compat RC4 MD5 RSA 22: 0 RC2-CBC-MD5 128 SSL2 Compat RC2 MD5 RSA 23: 0 RC4-64-MD5 64 SSL2 Compat RC4 MD5 RSA 24: 97 EXP1024-RC2-CBC-MD5 56 TLS1 Compat RC2 MD5 RSA 25: 97 EXP1024-RC2-CBC-MD5 56 TLS1.2 Compat RC2 MD5 RSA 26: 97 EXP1024-RC2-CBC-MD5 56 DTLS1 Compat RC2 MD5 RSA 27: 6 EXP-RC2-CBC-MD5 40 TLS1 Compat RC2 MD5 RSA 28: 6 EXP-RC2-CBC-MD5 40 TLS1.2 Compat RC2 MD5 RSA 29: 6 EXP-RC2-CBC-MD5 40 DTLS1 Compat RC2 MD5 RSA 30: 23 EXP-ADH-RC4-MD5 40 TLS1 Compat RC4 MD5 ADH 31: 23 EXP-ADH-RC4-MD5 40 TLS1.2 Compat RC4 MD5 ADH 32: 0 EXP-RC4-MD5 40 SSL2 Compat RC4 MD5 RSA 33: 0 EXP-RC2-CBC-MD5 40 SSL2 Compat RC2 MD5 RSA
  • Hi, did you manage to fix this issue? I'm trying to do the same, no luck so far. F5 BIG IP 10.2.4 HF11