01070312:3: Invalid keyword 'ecdhe-ecdsaaes256- gcm-sha384' in ciphers list for profile

Question

Hi Guys!
Does anyone experience the same issue? We are experiencing SSL/TLS Vulnerabilities per our Security Team we need to apply the certain cipher configuration and it includes this string SHA384:ECDHE-ECDSAAES256-
GCM-SHA384 however our F5 doesn't accept it.
01070312:3: Invalid keyword 'ecdhe-ecdsaaes256- 
gcm-sha384' in ciphers list for profile /Common/xxxxxx

Thank you!

niels_van_sluis · Answer

I think you missed a dash between ECDSA and AES256.&nbsp;
Try: SHA384:ECDHE-ECDSA-AES256-GCM-SHA384&nbsp;

jg · Answer

On v11.6.1, it seems that leaves the following strong ciphers only:
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-SHA
DHE-RSA-AES256-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384

.

jg · Answer

You cannot define a cipher that F5 does not support.
You can define your ciphers as:
ECDHE:DHE:!DES:!SHA
which gives you:
 tmm --clientciphers 'ECDHE:DHE:!DES:!SHA'
       ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
 0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_RSA 
 1: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA 
 2: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM  SHA256  ECDHE_RSA 
 3: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA 
 4:   159  DHE-RSA-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM  SHA384  EDH/RSA   
 5:   107  DHE-RSA-AES256-SHA256            256  TLS1.2  Native  AES     SHA256  EDH/RSA   
 6:   158  DHE-RSA-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM  SHA256  EDH/RSA   
 7:   103  DHE-RSA-AES128-SHA256            128  TLS1.2  Native  AES     SHA256  EDH/RSA

or simply:
TLSv1_2+ECDHE
which gives you:
 tmm --clientciphers 'TLSv1_2+ECDHE'
       ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
 0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_RSA 
 1: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA 
 2: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES     SHA     ECDHE_RSA 
 3: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA 
 4: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM  SHA256  ECDHE_RSA 
 5: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA 
 6: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES     SHA     ECDHE_RSA

to support TLSv1.2 only (Caveat: There are still a lot of clients that use TLS1.0 out there.)
You can create a test profile and let your Security people validate it.

Forum Discussion

01070312:3: Invalid keyword 'ecdhe-ecdsaaes256- gcm-sha384' in ciphers list for profile

3 Replies

Recent Discussions

Port Group on F5OS network setting

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Related Content

Re: LTM Cipher rule

Enforce Server Cipher proposal in preferred order

Re: Disable below cipher

Re: Translating Cipher Suites from Wireshark to BIG-IP

Re: Cipher Suite Practices and Pitfalls