How to get Perfect Forward Secrecy ( PFS ) in v11.2.1 HF13

Question

Hi, &nbsp;
I have recently installed F5 v11.2.1 HF13 to remediate Poodle and RC4. Which has been done. But we still are unable to enable PFS. &nbsp;
According to https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-ltm-11-2-1.html PFS should be enabled Natively.&nbsp;
The CIPHER I am using is DEFAULT:!SSLv3:!RC4 to get a A-.&nbsp;
Which CIPHER settings should I use to add PFS and achieve a A+.&nbsp;
Many thanks.&nbsp;

what_lies_bene1 · Answer

This other thread should help you. I don't think the minor version difference will be an issue: https://devcentral.f5.com/questions/enabling-pfs&nbsp;

what_lies_bene1 · Answer

So does using the cipher strings in that article not help? Have you actually tried?&nbsp;
Do you need ONLY ciphers that support PFS?&nbsp;

nitass · Answer

The CIPHER I am using is DEFAULT:!SSLv3:!RC4 to get a A-.
Which CIPHER settings should I use to add PFS and achieve a A+.

i think DHE is included in 11.2.1 but it is not included in default cipher. can you try 'DHE:!SSLv3'?
[root@B4200-R77-S7:Active:Standalone] config  tmsh show sys version | head

Sys::Version
Main Package
  Product  BIG-IP
  Version  11.2.1
  Build    1306.0
  Edition  Hotfix HF13
  Date     Wed Dec  3 15:05:53 PST 2014

[root@B4200-R77-S7:Active:Standalone] config  tmm --clientcipher 'DEFAULT:!SSLv3:!RC4'
     ID SUITE                          BITS  PROT  METHOD CIPHER MAC    KEYX
 0:  47 AES128-SHA                      128  TLS1  Native AES    SHA    RSA
 1:  47 AES128-SHA                      128  TLS1.1  Native AES    SHA    RSA
 2:  47 AES128-SHA                      128  TLS1.2  Native AES    SHA    RSA
 3:  47 AES128-SHA                      128  DTLS1  Native AES    SHA    RSA
 4:  53 AES256-SHA                      256  TLS1  Native AES    SHA    RSA
 5:  53 AES256-SHA                      256  TLS1.1  Native AES    SHA    RSA
 6:  53 AES256-SHA                      256  TLS1.2  Native AES    SHA    RSA
 7:  53 AES256-SHA                      256  DTLS1  Native AES    SHA    RSA
 8:  10 DES-CBC3-SHA                    192  TLS1  Native DES    SHA    RSA
 9:  10 DES-CBC3-SHA                    192  TLS1.1  Native DES    SHA    RSA
10:  10 DES-CBC3-SHA                    192  TLS1.2  Native DES    SHA    RSA
11:  10 DES-CBC3-SHA                    192  DTLS1  Native DES    SHA    RSA
12:  60 AES128-SHA256                   128  TLS1.2  Native AES    SHA256 RSA
13:  61 AES256-SHA256                   256  TLS1.2  Native AES    SHA256 RSA
[root@B4200-R77-S7:Active:Standalone] config 
[root@B4200-R77-S7:Active:Standalone] config  tmm --clientcipher 'DHE:!SSLv3'
     ID SUITE                          BITS  PROT  METHOD CIPHER MAC    KEYX
 0:  51 DHE-RSA-AES128-SHA              128  TLS1  Native AES    SHA    EDH/RSA
 1:  51 DHE-RSA-AES128-SHA              128  TLS1.1  Native AES    SHA    EDH/RSA
 2:  51 DHE-RSA-AES128-SHA              128  TLS1.2  Native AES    SHA    EDH/RSA
 3:  51 DHE-RSA-AES128-SHA              128  DTLS1  Native AES    SHA    EDH/RSA
 4:  57 DHE-RSA-AES256-SHA              256  TLS1  Native AES    SHA    EDH/RSA
 5:  57 DHE-RSA-AES256-SHA              256  TLS1.1  Native AES    SHA    EDH/RSA
 6:  57 DHE-RSA-AES256-SHA              256  TLS1.2  Native AES    SHA    EDH/RSA
 7:  57 DHE-RSA-AES256-SHA              256  DTLS1  Native AES    SHA    EDH/RSA
 8:  21 DHE-RSA-DES-CBC-SHA              64  TLS1  Native DES    SHA    EDH/RSA
 9:  21 DHE-RSA-DES-CBC-SHA              64  TLS1.1  Native DES    SHA    EDH/RSA
10:  21 DHE-RSA-DES-CBC-SHA              64  TLS1.2  Native DES    SHA    EDH/RSA
11:  21 DHE-RSA-DES-CBC-SHA              64  DTLS1  Native DES    SHA    EDH/RSA
12:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1  Native DES    SHA    EDH/RSA
13:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1.1  Native DES    SHA    EDH/RSA
14:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1.2  Native DES    SHA    EDH/RSA
15:  22 DHE-RSA-DES-CBC3-SHA            192  DTLS1  Native DES    SHA    EDH/RSA

nitass_89166 · Answer

The CIPHER I am using is DEFAULT:!SSLv3:!RC4 to get a A-.
Which CIPHER settings should I use to add PFS and achieve a A+.

i think DHE is included in 11.2.1 but it is not included in default cipher. can you try 'DHE:!SSLv3'?
[root@B4200-R77-S7:Active:Standalone] config  tmsh show sys version | head

Sys::Version
Main Package
  Product  BIG-IP
  Version  11.2.1
  Build    1306.0
  Edition  Hotfix HF13
  Date     Wed Dec  3 15:05:53 PST 2014

[root@B4200-R77-S7:Active:Standalone] config  tmm --clientcipher 'DEFAULT:!SSLv3:!RC4'
     ID SUITE                          BITS  PROT  METHOD CIPHER MAC    KEYX
 0:  47 AES128-SHA                      128  TLS1  Native AES    SHA    RSA
 1:  47 AES128-SHA                      128  TLS1.1  Native AES    SHA    RSA
 2:  47 AES128-SHA                      128  TLS1.2  Native AES    SHA    RSA
 3:  47 AES128-SHA                      128  DTLS1  Native AES    SHA    RSA
 4:  53 AES256-SHA                      256  TLS1  Native AES    SHA    RSA
 5:  53 AES256-SHA                      256  TLS1.1  Native AES    SHA    RSA
 6:  53 AES256-SHA                      256  TLS1.2  Native AES    SHA    RSA
 7:  53 AES256-SHA                      256  DTLS1  Native AES    SHA    RSA
 8:  10 DES-CBC3-SHA                    192  TLS1  Native DES    SHA    RSA
 9:  10 DES-CBC3-SHA                    192  TLS1.1  Native DES    SHA    RSA
10:  10 DES-CBC3-SHA                    192  TLS1.2  Native DES    SHA    RSA
11:  10 DES-CBC3-SHA                    192  DTLS1  Native DES    SHA    RSA
12:  60 AES128-SHA256                   128  TLS1.2  Native AES    SHA256 RSA
13:  61 AES256-SHA256                   256  TLS1.2  Native AES    SHA256 RSA
[root@B4200-R77-S7:Active:Standalone] config 
[root@B4200-R77-S7:Active:Standalone] config  tmm --clientcipher 'DHE:!SSLv3'
     ID SUITE                          BITS  PROT  METHOD CIPHER MAC    KEYX
 0:  51 DHE-RSA-AES128-SHA              128  TLS1  Native AES    SHA    EDH/RSA
 1:  51 DHE-RSA-AES128-SHA              128  TLS1.1  Native AES    SHA    EDH/RSA
 2:  51 DHE-RSA-AES128-SHA              128  TLS1.2  Native AES    SHA    EDH/RSA
 3:  51 DHE-RSA-AES128-SHA              128  DTLS1  Native AES    SHA    EDH/RSA
 4:  57 DHE-RSA-AES256-SHA              256  TLS1  Native AES    SHA    EDH/RSA
 5:  57 DHE-RSA-AES256-SHA              256  TLS1.1  Native AES    SHA    EDH/RSA
 6:  57 DHE-RSA-AES256-SHA              256  TLS1.2  Native AES    SHA    EDH/RSA
 7:  57 DHE-RSA-AES256-SHA              256  DTLS1  Native AES    SHA    EDH/RSA
 8:  21 DHE-RSA-DES-CBC-SHA              64  TLS1  Native DES    SHA    EDH/RSA
 9:  21 DHE-RSA-DES-CBC-SHA              64  TLS1.1  Native DES    SHA    EDH/RSA
10:  21 DHE-RSA-DES-CBC-SHA              64  TLS1.2  Native DES    SHA    EDH/RSA
11:  21 DHE-RSA-DES-CBC-SHA              64  DTLS1  Native DES    SHA    EDH/RSA
12:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1  Native DES    SHA    EDH/RSA
13:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1.1  Native DES    SHA    EDH/RSA
14:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1.2  Native DES    SHA    EDH/RSA
15:  22 DHE-RSA-DES-CBC3-SHA            192  DTLS1  Native DES    SHA    EDH/RSA

moinul_rony · Answer

Thanks. But its not working.
Using DHE:!SSLv3 - downgrades to a B, with Cipher Strength going down to 60.

Using Native I get a 'F'

~  tmm --clientcipher 'NATIVE:!SSLv3:!RC4'
     ID SUITE                          BITS  PROT  METHOD CIPHER MAC    KEYX
 0:  47 AES128-SHA                      128  TLS1  Native AES    SHA    RSA
 1:  47 AES128-SHA                      128  TLS1.1  Native AES    SHA    RSA
 2:  47 AES128-SHA                      128  TLS1.2  Native AES    SHA    RSA
 3:  47 AES128-SHA                      128  DTLS1  Native AES    SHA    RSA
 4:  53 AES256-SHA                      256  TLS1  Native AES    SHA    RSA
 5:  53 AES256-SHA                      256  TLS1.1  Native AES    SHA    RSA
 6:  53 AES256-SHA                      256  TLS1.2  Native AES    SHA    RSA
 7:  53 AES256-SHA                      256  DTLS1  Native AES    SHA    RSA
 8:  10 DES-CBC3-SHA                    192  TLS1  Native DES    SHA    RSA
 9:  10 DES-CBC3-SHA                    192  TLS1.1  Native DES    SHA    RSA
10:  10 DES-CBC3-SHA                    192  TLS1.2  Native DES    SHA    RSA
11:  10 DES-CBC3-SHA                    192  DTLS1  Native DES    SHA    RSA
12:   9 DES-CBC-SHA                      64  TLS1  Native DES    SHA    RSA
13:   9 DES-CBC-SHA                      64  TLS1.1  Native DES    SHA    RSA
14:   9 DES-CBC-SHA                      64  TLS1.2  Native DES    SHA    RSA
15:   9 DES-CBC-SHA                      64  DTLS1  Native DES    SHA    RSA
16:  51 DHE-RSA-AES128-SHA              128  TLS1  Native AES    SHA    EDH/RSA
17:  51 DHE-RSA-AES128-SHA              128  TLS1.1  Native AES    SHA    EDH/RSA
18:  51 DHE-RSA-AES128-SHA              128  TLS1.2  Native AES    SHA    EDH/RSA
19:  51 DHE-RSA-AES128-SHA              128  DTLS1  Native AES    SHA    EDH/RSA
20:  57 DHE-RSA-AES256-SHA              256  TLS1  Native AES    SHA    EDH/RSA
21:  57 DHE-RSA-AES256-SHA              256  TLS1.1  Native AES    SHA    EDH/RSA
22:  57 DHE-RSA-AES256-SHA              256  TLS1.2  Native AES    SHA    EDH/RSA
23:  57 DHE-RSA-AES256-SHA              256  DTLS1  Native AES    SHA    EDH/RSA
24:  21 DHE-RSA-DES-CBC-SHA              64  TLS1  Native DES    SHA    EDH/RSA
25:  21 DHE-RSA-DES-CBC-SHA              64  TLS1.1  Native DES    SHA    EDH/RSA
26:  21 DHE-RSA-DES-CBC-SHA              64  TLS1.2  Native DES    SHA    EDH/RSA
27:  21 DHE-RSA-DES-CBC-SHA              64  DTLS1  Native DES    SHA    EDH/RSA
28:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1  Native DES    SHA    EDH/RSA
29:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1.1  Native DES    SHA    EDH/RSA
30:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1.2  Native DES    SHA    EDH/RSA
31:  22 DHE-RSA-DES-CBC3-SHA            192  DTLS1  Native DES    SHA    EDH/RSA
32:  98 EXP1024-DES-CBC-SHA              56  TLS1  Native DES    SHA    RSA
33:  98 EXP1024-DES-CBC-SHA              56  TLS1.1  Native DES    SHA    RSA
34:  98 EXP1024-DES-CBC-SHA              56  TLS1.2  Native DES    SHA    RSA
35:  98 EXP1024-DES-CBC-SHA              56  DTLS1  Native DES    SHA    RSA
36:   8 EXP-DES-CBC-SHA                  40  TLS1  Native DES    SHA    RSA
37:   8 EXP-DES-CBC-SHA                  40  TLS1.1  Native DES    SHA    RSA
38:   8 EXP-DES-CBC-SHA                  40  TLS1.2  Native DES    SHA    RSA
39:   8 EXP-DES-CBC-SHA                  40  DTLS1  Native DES    SHA    RSA
40:  60 AES128-SHA256                   128  TLS1.2  Native AES    SHA256 RSA
41:  61 AES256-SHA256                   256  TLS1.2  Native AES    SHA256 RSA

Forum Discussion

How to get Perfect Forward Secrecy ( PFS ) in v11.2.1 HF13

8 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

Lightboard Lessons: Perfect Forward Secrecy

Lightboard Lesson: Perfect Forward Secrecy Inspection Visibility

Heartbleed and Perfect Forward Secrecy

Lightboard Lessons: Unexpected Side Effects of Perfect Forward Secrecy

F5 Distributed Cloud's Secure Multi-Cloud Networking (MCN) and SAP S/4 HANA: The perfect match