Forum Discussion
PQC: a blindspot (logging) on BIG-IP - RFE
you can try to log it using SSL::cipher object
- amolariJul 10, 2026
Cirrostratus
That won't work, as per the note from F5 support:
What IS Available via iRules on BIG-IP 17.5.1
1. Log negotiated cipher suite and TLS version (post-handshake) Per KB K86071030:
when CLIENTSSL_HANDSHAKE { log local0. "Client: [IP::client_addr] - TLS: [SSL::cipher version] - Cipher: [SSL::cipher name] - Bits: [SSL::cipher bits]" }
Limitation: [SSL::cipher name] returns the TLS 1.3 cipher suite (e.g., TLS_AES_128_GCM_SHA256), which does not include the key exchange group. In TLS 1.3, the cipher suite and key exchange group are decoupled by design.
2. Log client's offered cipher list (pre-handshake) Per KB K10452619:
when CLIENTSSL_CLIENTHELLO { log local0. "Client: [IP::client_addr] - OfferedCiphers: [SSL::cipher clientlist]" }
Limitation: [SSL::cipher clientlist] returns cipher suite hex codes from the ClientHello — it does not expose the supported_groups or key_share TLS extensions. The PQC group identifier (e.g., 0x11EC for X25519MLKEM768) is advertised in the key_share extension, which is not accessible via this command.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com