About Cipher Suites

Question

Hello experts,&nbsp;We've been doing SSL LAB scans lately.We found that with the same certificate and the same client ssl profile settings, the scanning results are not the same.The strange thing is that according to the following articlehttps://my.f5.com/manage/s/article/K12982What I see is that F5 is not yet supported by secp521r1.Why does the scanned result have secp521r1?

tofunmi · Answer

Are you doing SSL offloading on that VIP? If your VIP is not doing full SSL offload (e.g., SSL Passthrough or using a transparent profile), the curve seen could be coming from the backend server, not F5.&nbsp;openssl s_client -connect &lt;IP&gt;:443 -curves secp521r1
If the VIP is truly terminating SSL and does not support secp521r1, the handshake should fail. If the backend server supports it, the same test against it directly will succeed. This should help isolate whether the F5 or the backend is advertising support for that curve.

Forum Discussion

About Cipher Suites

1 Reply

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

F5 Academies Are Back – And We’re Coming to a City Near You

Recent Discussions

Sending an HTTP request from iRule without delaying client requests

Route Domains HA & Traffic Groups

Horizon View iApp - Big-IP 17.5

r4600 Tenant CPU Assignment

BGP Over 2 vlans to 2 Network switch

Related Content

Cipher Suite Practices and Pitfalls

Cipher Suites Supported (12.1.5.3)

Disabling Specific Weak Cipher Suites

Cipher suite mismatch advertisement/warning

SSL Profiles Part 4: Cipher Suites

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS