For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

riyad_fami_1308's avatar
riyad_fami_1308
Icon for Nimbostratus rankNimbostratus
Oct 30, 2016

custom SSL cipher suite

Hi, We have F5 LTM software version 10.2.3 and we are trying to setup Vmware Identity Manager load balanced through the LTM. The VIP uses server ssl profile serverssl-insecure-compatible. Apparently the servers are negotiating to use a cipher which is not supported by the default cipher suite. As per the vendor we need to have an SSL profile with cipher suite similar to LTM version 11.5.1. I have read about COMPAT ssl profile but not sure if this is exactly what im looking for. Can you advice me is we can configure SSL profile with the custom ciphers and the steps how to do it.

 

Thank you.

 

application delivery
LTM

2 Replies

  • Vijay_E's avatar
    Vijay_E
    Icon for Cirrus rankCirrus
    Oct 31, 2016

    As per SOL7815, 10.2.x code version's default cipher suite is:

    !SSLv2:ALL:!DH:!ADH:!EDH:!MD5:!EXPORT:!DES:@SPEED

     

    As per SOL13171 default ciphers for 11.5.x is

    !SSLv2:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4:!MD5:!SSLv3

     

    Normally, the recent code versions tend to support the newer cipher suites like the ECDHE. I am not sure if that can be made to work in 10.x code version.

    I would recommend the following:

    1. 10.x code version will be End of Support December 31, 2016. If this is a new set up, you may want to consider upgrading your code before setting it up as you will be looking at a code migration quite soon.

    2. If you don't want to upgrade code, provide the cipher suite available in 10.2.x code version and make sure that it is supported. Even if all the ciphers suites are not supported, some will be supported and that should suffice for your setup to work.