Your source for information on mastering F5 technology. SOL13163 - SSL ciphers supported on BIG-IP platforms (11.x) Note: This article does not apply to the SSL stack used in the Configuration utility.
This article applies to BIG-IP 11.x. For information about other versions, refer to the following article: SOL11444: SSL ciphers supported on BIG-IP platforms (10.x) BIG-IP platforms support NATIVE and COMPAT Secure Socket Layer (SSL) stacks. Each SSL stack supports a different set of SSL ciphers. Native SSL stacks The NATIVE stack is an optimized SSL stack that the BIG-IP system can use to leverage hardware acceleration for bulk crypto operations. Compat SSL stacks The COMPAT stack supports the ciphers that the NATIVE SSL stack supports, in addition to ciphers from the OpenSSL suite. Supported Ciphers Note: For information on the specific ciphers supported in the default SSL profiles, refer to SOL13156: SSL ciphers used in the default SSL profiles (11.x).
The SSL ciphers supported on BIG-IP systems has changed across versions. Supplemental Information. SOL15194 - Overview of the BIG-IP SSL/TLS cipher suite. Summary This article explains the usage and format of SSL/TLS cipher suites used by BIG-IP SSL profiles.
Description Prior to building a secure channel with SSL/TLS, clients and servers must exchange and agree upon a number of security parameters in order to provide confidentiality, authentication, and message integrity. Security parameters presented for negotiating secure communication are represented in a single string referred to as a cipher suite with the following format: Key Exchange-Authentication-Cipher[-Cipher Mode*]-MAC The cipher suite is defined as follows: Example cipher suites To understand the elements within the ECDHE-RSA-AES128-CBC-SHA cipher suite, you can separate them as follows: To understand the elements within the AES256-SHA256 cipher suite, you can separate them as follows: In this example, the cipher suite only states the Cipher algorithm and the MAC.
To understand the elements within the ECDHE-ECDSA-AES128-SHA cipher suite, you can separate them as follows: For example: SOL13171 - Configuring the cipher strength for SSL profiles (11.x) This article applies to BIG-IP 11.x.
For information about other versions, refer to the following article: SOL7815: Configuring the cipher strength for SSL profiles (9.x - 10.x) Purpose You should consider using this procedure under the following condition: You want to configure a custom cipher list for a Client or Server SSL profile. Prerequisites You must meet the following prerequisite to use this procedure: You have access to the BIG-IP Configuration utility or command line. Description BIG-IP SSL stacks BIG-IP Secure Socket Layer (SSL) profiles can use ciphers from two different SSL stacks; the NATIVE stack is built into the Traffic Management Microkernel (TMM), and the COMPAT stack, is based on the OpenSSL library.
In BIG-IP 11.x, the SSL profiles only use ciphers from the NATIVE SSL stack. Note: For a complete list of supported SSL ciphers from the NATIVE and COMPAT SSL stacks, refer to SOL13163: SSL ciphers supported on BIG-IP platforms (11.x). Default cipher list for SSL profiles ! ! Versions. Manual Chapter: SNMP.