F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Al_Faller_1969's avatar
Al_Faller_1969
Icon for Nimbostratus rankNimbostratus
Oct 22, 2014

SSL Cipher Order on LTM

Hi All -

 

With this whole POODLE thing, I'm reevaluating my cipher string. I am considering going with the DEFAULT setting that F5 provides (11.5.1), but I notice that it has the forward secrecy ciphers towards the end of the list. Can anyone explain why the forward secrecy ciphers would be less preferred over the RSA ciphers? Any reason I should just go with DEFAULT as opposed to customizing my cipher list?

 

For reference, 11.5.1's DEFAULT is:

 

!SSLv2:!SSLv3:!MD5:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4

 

I'm considering using the same ciphers, just changing the order:

 

!SSLv2:!SSLv3:!MD5:!EXPORT:ECDHE+AES:ECDHE+3DES:ECDHE+RC4:RSA+AES:RSA+3DES:RSA+RC4

 

Thoughts?

 

Thanks,

 

Al

 

application delivery
ciphers
LTM
security
ssl

1 Reply

  • mimlo_61970's avatar
    mimlo_61970
    Icon for Cumulonimbus rankCumulonimbus
    Oct 22, 2014

    I can't say the reason for the default order, though it has seemed in the past F5 has preferred speed over encryption strength. I have switched to using my own lists on sites that I need the highest security on.

     

    Also, I would drop RC4 completely. See https://support.f5.com/kb/en-us/solutions/public/14000/600/sol14638.html Even if you upgrade to 11.6 to mitigate this attack, most people tend to consider it broken and not advisable to use.