Forum Discussion
TLS protocol switching on F5
This is the selection sequence. You can reorder them by adding @speed or @strength.
0: 5 RC4-SHA 128 TLS1 Native RC4 SHA RSA
1: 5 RC4-SHA 128 TLS1.2 Native RC4 SHA RSA
2: 47 AES128-SHA 128 TLS1 Native AES SHA RSA
3: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA
4: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA
5: 53 AES256-SHA 256 TLS1 Native AES SHA RSA
6: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA
7: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA
8: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA
9: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA
10: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA
11: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA
12: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA
13: 9 DES-CBC-SHA 64 TLS1 Native DES SHA RSA
14: 9 DES-CBC-SHA 64 TLS1.2 Native DES SHA RSA `
When it comes to clientssl the F5 controls the order of ciphers. When it comes to serverssl the application server controls it and not the F5. You see from the clients perspective the F5 is the server and from the server perspective the F5 is the client. They don't know anything about each other and there are completely separate network stacks for each of them.
The proxy SSL feature is when the F5 acts as specialised man in the middle. See the knowledge base article on the proxy SSL feature.
- Prince_165600May 01, 2017Nimbostratus
Kevin,
By default will F5 follow the cipher selection as per speed or as per strength ?
Will i be correct to say that, even if connection between end client and F5 is TLS 1.0, F5 will initiate connection at TLS1.2 ( being the highest supported by serverssl settings )
or does the above behavior change when i enable "Proxy SSL" feature on both the clientssl and serverssl settings.
- Kevin_Davies_40May 01, 2017Nacreous
By default it will follow the order specified in tmm --serverciphers when you provide it a cipher string. So the order from your output in the original question you posted. You can add @speed or @strength to get it to reorder the ciphers fastest first or strongest first.
Note on the server side as the application server determines what ciphers are available to use and your cipher string just determines what ciphers you will negotiate with the server just like any client would.
Will i be correct to say that, even if connection between end client and F5 is TLS 1.0, F5 will initiate connection at TLS1.2 ( being the highest supported by serverssl settings )
I get the impression you think the two are linked in some way? They are not. The clientside can have strong cipher and the server have weak cipher and vice versa. They are completely independent negotiations.
- JGMay 02, 2017Cumulonimbus
Kevin is right: The serverside in either context gets to choose and decide which cipher to use, out of a list of supported ciphers received from the client.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com