For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Sean_Gray_14855's avatar
Sean_Gray_14855
Icon for Nimbostratus rankNimbostratus
Apr 17, 2014

Enabling PFS

Hi everyone, I've been trying to get PFS enabled on my LTM (ver 11.4.1) and am running into a blocker. I've tried various cipher string options and have no luck so far. I've also opened a ticket wi...
11.4
application delivery
LTM
security
ssl
Sean_Gray_14855's avatar
Sean_Gray_14855
Icon for Nimbostratus rankNimbostratus
Apr 28, 2015

Got this working fine a while ago using the above suggestions. I did run into a problem with killing certain versions of IE and Windows that I actually did want to support, so I ended up with the following as my cipher string which allowed me to support all of the OS/browser combos I wanted while also supporting PFS:

 

ECDHE+AES-GCM:NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:!ADH:!SSLv3:@SPEED

 

After doing this, setting up the iRule for HSTS, and renewing my cert with SHA-256 my site hit the "A+" mark with SSLLabs.

 

  • Steve_M__153836's avatar
    Steve_M__153836
    Icon for Nimbostratus rankNimbostratus
    Apr 28, 2015
    Very cool on the A+. Thanks for the update. Can you elaborate on what versions of IE/Windows you had issues with and why? I know IE6 will obviously not work, but I'm interested to hear about other versions.
  • AJ_01_135899's avatar
    AJ_01_135899
    Icon for Cirrostratus rankCirrostratus
    Jun 02, 2015
    Is this with a specific hotfix applied to 11.4.1? I was under the impression that RC4-SHA was the only POODLE-secure cipher on 11.4.1 (and RC4-SHA would automatically bump you down to a "C"). I'm also not seeing AES-GCM in the list on 11.4.1
  • Steve_M__153836's avatar
    Steve_M__153836
    Icon for Nimbostratus rankNimbostratus
    Jun 30, 2015
    AJ the GCM suites are only available starting with 11.5.0.