Forum Discussion

Nimbostratus

Apr 07, 2014

OpenSSL and Heart Bleed Vuln

Get the latest updates on how F5 mitigates Heartbleed Hi Team, I know this question is eventually going to be asked - I may as well do it. With the news today about the Heartblee...

Historic F5 Account

Apr 08, 2014

It's quite possible to work this out logically: Ref: http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html

There are ciphers which exist in Native but not in Compat.
YOu can specify "NATIVE:COMPAT" as a cipher string
Therefore, the stack used depends on which cipher is in use, with the natural preference being for NATIVE.

BinaryCanary_19
Historic F5 Account
Apr 08, 2014
Tested this just now on 11.2.1 using "NATIVE:COMPAT" as my cipher string on ssl profile. I can connect just fine using ciphers that are only present in NATIVE, and I can do the same using ciphers only present in COMPAT list. So that should confirm that the stack used is decided on a per-connection basis.
BinaryCanary_19
Historic F5 Account
Apr 08, 2014
One thing I find curious though, is that if I run "openssl ciphers" on my machine, I get a longer list of ciphers than is listed in Sol13163 in the compat list for my version (11.2.1).
What_Lies_Bene1
Cirrostratus
Apr 08, 2014
Yes, OpenSSL supports ALL the NATIVE ciphers as well as the compat ones but obviously those ciphers are handled by TMM and the offload hardware. Your test isn't definitive unless you check the stats and confirm that your connection shows as native, not compat.
What_Lies_Bene1
Cirrostratus
Apr 08, 2014
tmsh show ltm profile client-ssl 'name' should show you what's what if you use it to display stats for a profile with a mix of native and compat.