For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Dec 08, 2013

The issue is that Firefox will natively attempt to negotiate a cipher that the LTM doesn't support (ex. DH, EDH, etc.). Yes there are comparable ciphers between the two, but if the initial cipher selection isn't supported by the LTM then it will fail closed. IE generally has a smaller list of supported ciphers and just happens to default to ciphers that the LTM supports. The LTM is a silent party to the SSL negotiation between client and server when doing ProxySSL, and as such has no influence over what ciphers are chosen. You could definitely still get it to work, but you'd likely have to modify both the client and the server to negotiate a different set of ciphers, something that isn't really realistic unless you control the clients.

 

You can actually watch this process and the negotiated ciphers with an ssldump and the private key used in the ProxySSL client and server SSL profiles.

 

Version 11 has added quite a few new ciphers and HF5 actually fixed a bug with ProxySSL and SSL renegotiation, and reportedly more ciphers are coming.