With the recent heartbleed vulnerability, there’s been a lot of talk about a technology called perfect forward secrecy (PFS) (or just forward secrecy) and how important it is in mitigating the effects of a private key leak. Basically, in a nut shell, without PFS, if someone like the NSA for example were to capture all of your traffic for the last 5 years and somehow later obtained a copy of your private key, they could go back and decrypt all of that traffic. With PFS however, the client and server come up with a shared, random session key and never send the key across the network. The server’s private key is only used to sign the key exchange which prevents man-in-the-middle attacks. By default, on F5 BigIP LTM devices running 11.4.x, cipher suites that support PFS (and are hardware accelerated) are enabled, but aren’t prioritized and most likely aren’t being used in most connections.
Note: This post was for 11.4.x. See note below for 11.5.
You can see this with the output of the tmm –clientciphers ‘DEFAULT’ command:
On 11.4.x, the ‘DEFAULT’ cypher string expands to: NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:@SPEED. This means, “use all the available hardware accelerated suites minus MD5, EXPORT, DES, DHE, EDH, and finally, prioritize them all by speed”. This is a great default list if you’re processing a ridiculous amount of SSL traffic and need to keep the load on the boxes as low as possible, but unfortunately, notice that it also prioritizes all of the ECDHE suites last. ECDHE stands for Elliptic Curve Diffie-Hellman and those are the cipher suites you’ll want to use and prioritize if you want to ensure most connections to your servers are being encrypted in a way that supports PFS. Twitter enabled ECDHE suites back in November, and they found that doing so only negligibly increased their CPU usage. To prioritize these suites on the F5s, it’s as simple as changing your default cypher suite string to: ECDHE:NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH. One other change you may want to make is disabling RC4 suites by adding :!RC4 to the end of that string. According to Qualys, RC4 suites should no longer be used.
After making the change(s), you can see the new order of priority and supported suites by running tmm –clientciphers ‘ECDHE:NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4′:
If you want to be super secure, you could then prioritize the suites in that new list by strength with ‘ECDHE:NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:@STRENGTH’, which would produce the following:
Heartbleed was scary, and it’s nice to know that by default, F5 BigIP LTM devices performing SSL offloading using the native hardware-accelerated stack weren’t affected. Enabling PFS, though, is just one more layer of added security that should be prioritized if your devices can afford the added expense.
11.5 Note: The default cipher string was changed in 11.5. If you use the above, you’ll leave yourself horribly vulnerable to nasty SSL communications because anonymous diffie-hellman ciphers are enabled by default. If you use the above suggested cipher string, make sure to add !ADH to it to disable the ADH ciphers. Alternatively, you could use the following, which also prioritizes GCM ciphers, which became available in 11.5: ‘ECDHE+AES-GCM:NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:!ADH:!SSLv3′