F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

mahnsc's avatar
mahnsc
Icon for Nimbostratus rankNimbostratus
Aug 08, 2018

Unexpected SSL Client Behavior

I have an SSL Client profile with a cipher list that is sorted by preferred cipher order: AES256-SHA256:AES256-SHA:DES-CBC3-SHA:AES128-SHA256:AES128-SHA:CAMELLIA256-SHA:CAMELLIA128-SHA:DHE-RSA-AE...
application delivery
BIG-IP
LTM
Tyler_Shaw_9498's avatar
Tyler_Shaw_9498
Historic F5 Account
Aug 09, 2018

The BIG-IP should always use the server cipher list as the sole authority on the order of chosen ciphers (https://support.f5.com/csp/article/K12390). Given that, I suspect that the clients are not offering up the stronger ciphers as available. If the clients are offering up the same client hello, the BIG-IP will choose the same way every time.

 

You can see the list of ciphers offered by the client in a packet capture by looking at "Client Hello" packet in wireshark. It will be the first packing after the TCP handshake is complete.