Forum Discussion

pcr654_224362's avatar
pcr654_224362
Icon for Nimbostratus rankNimbostratus
Feb 23, 2016

supported ciphers list

Can I use a cipher that is not on the supported ciphers list for my version of F5  
BIG-IP
security
Amy_123193's avatar
Amy_123193
Historic F5 Account
Feb 24, 2016

The short answer is no, but from your comment above I don't think that answers your question.

There are two different ways of naming ciphers, the way they're named by IANA and RFCs and the way they're named by OpenSSL. F5 TMOS uses OpenSSL format for its cipher string. You can tell them apart because the RFC format usually uses underscores and the OpenSSL format uses hyphens. To translate between them you should refer to the OpenSSL ciphers manual page.

For example, for 

TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
:

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384   ECDHE-ECDSA-AES256-SHA384

From SOL13163 we can see that 

ECDHE-ECDSA-AES256-SHA384
is supported in 11.6.0.

Note that above I changed ECDH in the RFC name to ECDHE. F5 software only supports ephemeral Diffie-Hellman, which is indicated by the E.

  • pcr654_224362's avatar
    pcr654_224362
    Icon for Nimbostratus rankNimbostratus
    Feb 24, 2016
    Thank you for your response this was very helpful. But Just to clearify, even though the OpenSSL format does not mention CBC in the string, it is still the same as the RFC?
  • Amy_123193's avatar
    Amy_123193
    Historic F5 Account
    Feb 24, 2016
    It is. OpenSSL tends to elide certain things in their names - for example, if no auth method is specified it's usually RSA (same for key agreement), and if an OpenSSL string just says AES it implies CBC.
  • pcr654_224362's avatar
    pcr654_224362
    Icon for Nimbostratus rankNimbostratus
    Feb 24, 2016
    Thank you very much. That helped a lot.