ADC health monitor and SSL cipher

Community Forum Forums Thunder and AX Series General ADC health monitor and SSL cipher

This topic contains 2 replies, has 2 voices, and was last updated by avatar diederik 4 months, 3 weeks ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #14232
    avatar
    kakoni
    Member

    Trying to config health monitor to use tls1.1/tls 1.2 level ssl ciphers.
    I’ve tried something like DEFAULT:!SSLv3:!SSLv2:!TLSv1, or even just TLS1_ECDHE_ECDSA_AES_128_GCM_SHA256:TLS1_ECDHE_RSA_AES_128_GCM_SHA256 in the cli for ssl-cipher.

    I’m debugging this with openssl s_server(so that health-monitor talks to this debug server so I can see how connection is being initialized)

    openssl reports that;
    Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-MD5

    So no sign of tls 1.1/1.2 level ciphers. I’m not using sslv2-handshake.
    Any ideas?

    #14242
    avatar
    diederik
    Member

    Hello,

    Sorry, but you should not be trying to limit the protocol version (TLS) by specifying the allowed cipher suites.

    TLS1.2 supports all previous cipher suites.
    The OpenSSL list of ciphersuites shows when the cipher suite was included, not which ciphersuites are specific to a particular protocol version.

    SO by allowing things like RC4-SHA on the server side and client (A10) side, they now can use SSLv3 as well.

    Now, I see that you state “!SSLv3:!SSLv2:!SSLv1”

    This actually tells OpenSSL that it is not allowed to use any of the cipher suites.
    I am pretty sure ACOS does not make use of OpenSSL version 1.1.0
    OpenSSL 1.1.0 is the first version of OpenSSL to actually make the distinction between TLS1.0, TLS1.1 and TLS1.2

    In previous versions of OpenSSL using !TLSv1 basically means you disable ALL TLS1.0/1.1/1.2 cipher suites.

    Now, when you use “TLS1_ECDHE_ECDSA_AES_128_GCM_SHA256” this would actually indicate the use of a cipher suite that is unique to TLS1.2.
    But, are you sure you are using an ECDSA Certificate? You are most likely using an RSA certificate on the server side, so you can not use any of the “ECDSA” cipher suites.

    Also, the GCM cipher suite is unique to TLSv1.2, but in this case, while the A10 should support it, it seems your server does not support it.

    Make sure you select a ciphersuites that are supported by both the client and the server side.
    For testing you can try ciphersuites that are unique to TLS1.2.

    On the A10 I would use something like:

    !SHA1:!SHA:!MD5

    Which should leave you with all SHA256/SHA384 CBC & GCM cipher suites… which are just the TLS1.2 and basically ALL the TLS1.2 cipher suites.

    To be sure open a case with A10 Support to find out what version of OpenSSL is used in your version of ACOS… or limit it on the server side and let the A10 as a normal client try to connect with everything it supports.

    But better is better to directly control the supported SSL/TLS protocol version on the server side, as this will allow for many more cipher suites to be supported.
    OpenSSL does not have this granular level of control, neither does the A10 (currently) when it is acting as a client.

    But hopefully your (web)server has.

    #14252
    avatar
    diederik
    Member

    Edit:

    TLS1.2 supports all previous cipher suites.
    The OpenSSL list of ciphersuites shows “from” when the cipher suite was included, not which ciphersuites are specific to a particular protocol version.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

Comments are closed.