ADC health monitor and SSL cipher

Trying to config health monitor to use tls1.1/tls 1.2 level ssl ciphers.
I've tried something like DEFAULT:!SSLv3:!SSLv2:!TLSv1, or even just TLS1_ECDHE_ECDSA_AES_128_GCM_SHA256:TLS1_ECDHE_RSA_AES_128_GCM_SHA256 in the cli for ssl-cipher.

I'm debugging this with openssl s_server(so that health-monitor talks to this debug server so I can see how connection is being initialized)

openssl reports that;
Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-MD5

So no sign of tls 1.1/1.2 level ciphers. I'm not using sslv2-handshake.
Any ideas?

Comments

  • diederikdiederik Member
    edited April 2018
    Hello,

    Sorry, but you should not be trying to limit the protocol version (TLS) by specifying the allowed cipher suites.

    TLS1.2 supports all previous cipher suites.
    The OpenSSL list of ciphersuites shows when the cipher suite was included, not which ciphersuites are specific to a particular protocol version.

    SO by allowing things like RC4-SHA on the server side and client (A10) side, they now can use SSLv3 as well.

    Now, I see that you state "!SSLv3:!SSLv2:!SSLv1"

    This actually tells OpenSSL that it is not allowed to use any of the cipher suites.
    I am pretty sure ACOS does not make use of OpenSSL version 1.1.0
    OpenSSL 1.1.0 is the first version of OpenSSL to actually make the distinction between TLS1.0, TLS1.1 and TLS1.2

    In previous versions of OpenSSL using !TLSv1 basically means you disable ALL TLS1.0/1.1/1.2 cipher suites.

    Now, when you use "TLS1_ECDHE_ECDSA_AES_128_GCM_SHA256" this would actually indicate the use of a cipher suite that is unique to TLS1.2.
    But, are you sure you are using an ECDSA Certificate? You are most likely using an RSA certificate on the server side, so you can not use any of the "ECDSA" cipher suites.

    Also, the GCM cipher suite is unique to TLSv1.2, but in this case, while the A10 should support it, it seems your server does not support it.

    Make sure you select a ciphersuites that are supported by both the client and the server side.
    For testing you can try ciphersuites that are unique to TLS1.2.

    On the A10 I would use something like:

    !SHA1:!SHA:!MD5

    Which should leave you with all SHA256/SHA384 CBC & GCM cipher suites... which are just the TLS1.2 and basically ALL the TLS1.2 cipher suites.

    To be sure open a case with A10 Support to find out what version of OpenSSL is used in your version of ACOS... or limit it on the server side and let the A10 as a normal client try to connect with everything it supports.

    But better is better to directly control the supported SSL/TLS protocol version on the server side, as this will allow for many more cipher suites to be supported.
    OpenSSL does not have this granular level of control, neither does the A10 (currently) when it is acting as a client.

    But hopefully your (web)server has.
  • diederikdiederik Member
    edited April 2018
    Edit:

    TLS1.2 supports all previous cipher suites.
    The OpenSSL list of ciphersuites shows "from" when the cipher suite was included, not which ciphersuites are specific to a particular protocol version.
  • kakumakukakumaku Member

    Can someone please let me know how to configure this in A10? This is very simple in F5 but i wasn't able to find this in A10.

    DEFAULT:!SSLv3:!SSLv2:!TLSv1

  • mdunnmdunn Member ✭✭

    Within the client-ssl template, you can specify the allowed versions as well as disable sslv3

    ssli-l3-lab1[ssli_in](config-client ssl)#version ?
      <30-34>  TLS/SSL version: 30-SSLv3.0, 31-TLSv1.0, 32-TLSv1.1, 33-TLSv1.2 and 34-TLSv1.3
    
    ssli-l3-lab1[ssli_in](config-client ssl)#disable-sslv3?
      disable-sslv3  Reject Client requests for SSL version 3
    
    # The following would only allow TLS1.2 and TLS1.1
    slb template client-ssl  example_client_ssl
      disable-sslv3
      version 33 32
    

    Does that fit the requirement?

Sign In or Register to comment.