Hi everyone, I've been trying to get PFS enabled on my LTM (ver 11.4.1) and am running into a blocker. I've tried various cipher string options and have no luck so far. I've also opened a ticket with f5 support and they just point me to various devcentral discussions that don't have the detail I need. So I guess my question is: what are the cipher options I need to add/remove to enable PFS on a SSL client profile? or is there another way to get PFS going that I am missing? Thanks!

So I guess my question is: what are the cipher options I need to add/remove to enable PFS on a SSL client profile? or is there another way to get PFS going that I am missing? i understand pfs is included since 11.2.1. you can display cipher suite list using tmm --clientciphers and tmm --serverciphers command. Diffie-Hellman SSL key exchange cipher The Diffie-Hellman SSL key exchange cipher, which provides perfect forward secrecy (PFS), is now included natively. This provides better performance for configurations using Diffie-Hellman, especially on physical platforms that have hardware SSL acceleration. Release Note: BIG-IP LTM and TMOS 11.2.1 https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-ltm-11-2-1.htmlrn_new

Thanks! Having read as much documentation as I can scrape up, I'm still trying to get SSL Labs to confirm PFS is enabled and am unsuccessful. Here's my cipher string: [root@lbl701:Active:In Sync] config tmm --serverciphers DEFAULT:@STRENGTH:-RC4 ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 53 AES256-SHA 256 SSL3 Native AES SHA RSA 1: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 2: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 3: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 4: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 5: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 6: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 7: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 8: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 9: 10 DES-CBC3-SHA 192 SSL3 Native DES SHA RSA 10: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 11: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA 12: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 13: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 14: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA 15: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA 16: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA 17: 47 AES128-SHA 128 SSL3 Native AES SHA RSA 18: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 19: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 20: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 21: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 22: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 23: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 24: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 25: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA Do I need to disable all non-ECDHE to get this to work?

I'm still trying to get SSL Labs to confirm PFS is enabled and am unsuccessful. if you want pfs, why don't you specify only ECDHE (e.g. ECDHE)? by the way, isn't it clientcipher (clientssl profile)? [root@ve11a:Active:In Sync] config tmm --clientcipher ECDHE ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 2: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 3: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 4: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 5: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA 6: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA 7: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA 8: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 9: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 10: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 11: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 12: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA

Enabling PFS | DevCentral

53 Replies

Rahul_Kaul
Cirrus
Feb 12, 2020
We have to enable only ciphers having "DHE" as Diffie-Hellman Ephemeral (DHE) key exchange method provides Perfect Forward Privacy. https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/big-ip-system-ssl-traffic-management-14-1-0-1/10.html
james_lee_31100
Nimbostratus
Sep 11, 2015
Hello:

I have following cert

Common name: landing.XXXX.com SANs: landing.XXXX.com Organization: XXXX Inc. Location: XXXX, Illinois, US Valid from September 4, 2015 to December 3, 2018 Serial Number: 1356153356 (0x50d5420c) Signature Algorithm: sha256WithRSAEncryption Issuer: Entrust Certification Authority - L1K

Common name: Entrust Certification Authority - L1K

Organization: Entrust, Inc. Location: US Valid from October 10, 2014 to October 10, 2024 Serial Number: 1372455166 (0x51ce00fe) Signature Algorithm: sha256WithRSAEncryption Issuer: Entrust.net Certification Authority (2048)

Common name: Entrust.net Certification Authority (2048)

Organization: Entrust.net Valid from December 24, 1999 to July 24, 2029 Serial Number: 946069240 (0x3863def8) Signature Algorithm: sha1WithRSAEncryption Issuer: Entrust.net Certification Authority (2048)

cipher suite as following ECDHE+AES:ECDHE+3DES:RSA+3DES:!SSLv2:!SSLv3:!MD5:!EXPORT:!RC4

Latest version of Chrome: 45.0.2454.85 (64-bit)

Chrome complains following:

Your connection to landing.sirva.com is encrypted using an obsolete cipher suite. Further, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page.

The connection uses TLS 1.2.

The connection is encrypted using AES_256_CBC, with HMAC-SHA1 for message authentication and RSA as the key exchange mechanism.
- james_lee_31100
  Nimbostratus
  Sep 16, 2015
  thanks Steve.. use your suggestion, fixed it AES-GCM+ECDHE:NATIVE:!RC4:!ADH:!DHE:!EXP:!LOW:!SSLv2:!SSLv3
- Steve_M__153836
  Nimbostratus
  Sep 13, 2015
  What version of TMOS are you running? ECDHE+AES should not result in an obsolete cipher suite, but Google's criteria for that message regarding cipher suites and cryptography are sometimes more stringent. I guess they're now considering AES_256_CBC obsolete. I would not support 3DES either. If you're running 11.5 or later I'd start with this and go from there with your testing: AES-GCM+ECDHE:NATIVE:!RC4:!ADH:!DHE:!EXP:!LOW. Also from earlier in this thread I would review this: In order for the message to indicate “modern cryptography”, the connection should use the latest version of TLS with forward secrecy and a good (authenticated) cipher. As of mid-2015, the latest version of TLS is 1.2 and the only ciphers that Chrome considers modern are GCM or CHACHA20_POLY1305."
JMart_143192
Nimbostratus
Aug 14, 2015
Hello everyone,

I am trying to get the PFS enabled on my platform, I have the following profile enabled:

ltm profile client-ssl /Common/clientssl_HB_users { app-service none ca-file /Common/cert.crt cert /Common/cert_2015.crt ciphers DEFAULT:!COMPAT:ECDHE+AES:ECDHE+3DES:AES:3DES:!MD5:!EXPORT:!DES:!EDH:!RC4 defaults-from /Common/clientssl key /Common/cert_2015.key options { dont-insert-empty-fragments no-sslv3 } renegotiation disabled

I'm getting and A- on SSL Test and I need to upgrade it, My platform is on version 11.4.1 HF 6. Could you help me to solutionate this? Thank you so much! Thank you so much.
- Steve_M__153836
  Nimbostratus
  Aug 18, 2015
  So what you're going to have to do is look at the cipher suite used for those browsers and figure out what the correct variables are with the cipher suites and remove it. I have the same issue because my business has forced me to allow the RC4 ciphers. I would get an A or A+ if it were not for that. Since you're not allowing RC4 then it is a different cipher suite that is your issue.
- JMart_143192
  Nimbostratus
  Aug 14, 2015
  Helo Steve M. Thank for your response! Yes my problem is with the FS (Forward Secrecy) it doesn't show an specific state more than "Forward Secrecy No WEAK" and it only shows me that I am not supporting FS for no one of the browsers I thought that the only thing that I see every site is that I have to put the ECDHE in the ciphers but it wasn't all for me. I don't know how can I improve this, Thank you so much
- Steve_M__153836
  Nimbostratus
  Aug 14, 2015
  There are many things that go into that grade. I know there are are two renegotiation settings in the profile. Make sure the one you have disabled is the one that corresponds to client-side renegotiation. Also found this in Qualys' recommendations (https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices.pdf). "3DES provides about 112 bits of security. This is below the recommended minimum of 128 bits, but it’s still strong enough. A bigger practical problem is that 3DES is much slower than the alternatives. Thus, we don’t recommend it for performance reasons, but it can be kept at the end of the cipher list for interoperability with very old clients." If there is anything from the result that states why you received the grade you did please post that so we can review it.
Sean_Gray_14855
Nimbostratus
Apr 28, 2015
My initial cipher string was simply "ECDHE" which actually crushed all but 2 (as I recall, only IE11 was fine) of the Windows/IE combos. It also killed a few of the java ones, and a few others. So I played around quite a bit, and had to add AES-GCM but explicitly disable weaker ciphers that came along with it. Currently only IE6/XP is not supported which I'm totally fine with, while maintaining PFS.
Sean_Gray_14855
Nimbostratus
Apr 28, 2015
Got this working fine a while ago using the above suggestions. I did run into a problem with killing certain versions of IE and Windows that I actually did want to support, so I ended up with the following as my cipher string which allowed me to support all of the OS/browser combos I wanted while also supporting PFS:

ECDHE+AES-GCM:NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:!ADH:!SSLv3:@SPEED

After doing this, setting up the iRule for HSTS, and renewing my cert with SHA-256 my site hit the "A+" mark with SSLLabs.
- Steve_M__153836
  Nimbostratus
  Jun 30, 2015
  AJ the GCM suites are only available starting with 11.5.0.
- AJ_01_135899
  Cirrostratus
  Jun 02, 2015
  Is this with a specific hotfix applied to 11.4.1? I was under the impression that RC4-SHA was the only POODLE-secure cipher on 11.4.1 (and RC4-SHA would automatically bump you down to a "C"). I'm also not seeing AES-GCM in the list on 11.4.1
- Steve_M__153836
  Nimbostratus
  Apr 28, 2015
  Very cool on the A+. Thanks for the update. Can you elaborate on what versions of IE/Windows you had issues with and why? I know IE6 will obviously not work, but I'm interested to hear about other versions.
sjon_195224
Nimbostratus
Apr 28, 2015
Hey, I'm running into the same obsolete error message. Running 11.5.1, I tried your last suggestion of the following in the profile cipher list...... AES-GCM+HIGH:ECDHE+HIGH:HIGH:@STRENGTH:!RSA:!SSLV3

and this also didn't resolve.
- Steve_M__153836
  Nimbostratus
  Jun 30, 2015
  Good to hear. I had to make a change to support the Win XP/IE 8 combination. From a security perspective I think it's lunacy that we're supporting it, but just in case it is needed here is the cipher suite string I had to use. AES-GCM+ECDHE:NATIVE:RC4:!ADH:!DHE:!EXP:!LOW
- sjon_195224
  Nimbostratus
  May 20, 2015
  Sorry, it's taken a while to update due to time off and waiting on confirmation but it looks like just using AES-GCM broke Safari (v6+) but was fine in other browsers (IE 10 also needed TLS enabled). However, changing to AES-GCM+ECDHE:NATIVE:!ADH:!DHE:!RSA looks to have resolved on all browsers supported by our application. Thanks!
- Steve_M__153836
  Nimbostratus
  May 04, 2015
  Good to hear. I'm interested to know what the devs come back with in terms of browser compatibility using just that cipher suite. I was able to reproduce your issue. I think the problem is that my initial cipher suite order that I posted didn't support any AES-GCM cipher suites that were 128-bit and I think browsers are still going after the 128-bit ciphers. Just a guess, but I think that's it. Once I tweaked it to allow a 128-bit AES-GCM cipher towards the top it used the GCM cipher suite. I used AES-GCM+ECDHE:NATIVE:!ADH:!DHE:!RSA
David_Holmes_9
Historic F5 Account
Sep 09, 2014
Try this string. It "prefers" DHE ciphers but allows all other normal ciphers just in case the client doesn't want to go ECDHE.

ECDHE+HIGH:HIGH
- Steve_M__153836
  Nimbostratus
  Dec 08, 2014
  Thank you David. This helps.