F5 upgrade

Question

Hi Team,&nbsp;
we have two F5 in our Environment, one on version 11.3.0 and another on 11.4.0.&nbsp;
Due to POODLE Vulnerability  issues we have redesigned   our application and application is supporting only TLSV1.2 protocol now. since due to this  all our ciphers have changed and now we need to get these ciphers in F5.&nbsp;
Following are the ciphers we added in our application,&nbsp;
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256,SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256,SSL_DHE_RSA_WITH_AES_128_CBC_SHA256,SSL_DHE_DSS_WITH_AES_128_CBC_SHA256,SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA,SSL_ECDH_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_AES_128_CBC_SHA&nbsp;
so now i am planning to upgrade on version 11.6.0 or 12.0.0. Could you please tell me which is the stable version i can use. on which F5 software i will get all these above ciphers?&nbsp;
Appreciate your response on this.&nbsp;
-Akhilesh&nbsp;

ianb · Answer

Please refer to SOL13163 for a list of ciphers supported in each version
Information about Poodle is available in SOL15702, and neither 11.6.0 nor 12.0.0 are vulnerable to it, though your webserver would be negotiating SSL directly with the client if the virtual server type is FastL4 (aka performance)
You can verify what your cipher string would select by asking tmm, using --clientciphers, as below:
Note that you must use single quotes to enclose the cipher string if your string contains a ! character, to prevent the shell from interpreting it.
 tmm --clientciphers 'AES:!SHA'
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA
 1: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES       SHA384  ECDHE_ECDSA
 2:   107  DHE-RSA-AES256-SHA256            256  TLS1.2  Native  AES       SHA256  EDH/RSA
 3:   106  DHE-DSS-AES256-SHA256            256  TLS1.2  Native  AES       SHA256  DHE/DSS
 4: 49194  ECDH-RSA-AES256-SHA384           256  TLS1.2  Native  AES       SHA384  ECDH_RSA
 5: 49190  ECDH-ECDSA-AES256-SHA384         256  TLS1.2  Native  AES       SHA384  ECDH_ECDSA
 6:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA
 7: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA
 8: 49187  ECDHE-ECDSA-AES128-SHA256        128  TLS1.2  Native  AES       SHA256  ECDHE_ECDSA
 9:   103  DHE-RSA-AES128-SHA256            128  TLS1.2  Native  AES       SHA256  EDH/RSA
10:    64  DHE-DSS-AES128-SHA256            128  TLS1.2  Native  AES       SHA256  DHE/DSS
11: 49193  ECDH-RSA-AES128-SHA256           128  TLS1.2  Native  AES       SHA256  ECDH_RSA
12: 49189  ECDH-ECDSA-AES128-SHA256         128  TLS1.2  Native  AES       SHA256  ECDH_ECDSA
13:    60  AES128-SHA256                    128  TLS1.2  Native  AES       SHA256  RSA

Forum Discussion

F5 upgrade

1 Reply

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

F5 Software Downgrade from version 17.x.x to 15.x.x

Error diskmonitor

CPU utilization of F5OS on r2600

sslprovide (--f5 ssl) does not generate CLIENT/SERVER_TRAFFIC_SECRET on server-side TLS traffic

Hardware replacement i2800 to r2600

Related Content

Error post F5 upgrade

Upgrade F5 BIGIP

F5 LTM HA pair upgrade Automation using Python

7 Steps Checklist before upgrading your F5 BIG-IP

Knowledge sharing: F5 Software Upgrade/RMA process

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS