BIG-IP SSL Cipher History

John Hall, the fuzz-master at F5, put together this handy spreadsheet showing the SSL cipher suite support sets for F5 BIG-IP software releases over the years.

 

At the time of this writing, most BIG-IPs in the wild are somewhere between 11.2 and 11.4. But there are, and probably will always be, customers running versions as old as 10.2.4.

 

The green arrows indicate support in the NATIVE SSL stack. The NATIVE stack is F5’s custom SSL code. Most of the ciphers are offloaded to hardware when acceleration is available. Though some of them, such as the GCM suites, are only handled in software at this time.

 

The red arrows indicate support in the COMPAT stack. The COMPAT stack pulls in the OpenSSL processing code. Typically this is only used for legacy clients that can only talk to OpenSSL. These are few and far between and thus the COMPAT stack is very rarely seen in the wild (less than 1%).

 

Anyway, this is a handy eye-chart for research or provisioning for BIG-IP and SSL.
 

Published May 06, 2015
Version 1.0
  • This is good stuff. If you also add how the "DEFAULT" cipher string has evolved across the versions, that will be awesome.
  • Amit: The DEFAULT ciphers by version are here: https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html And if you want to know exactly what the 'DEFAULT' keyword decodes to internally, see: https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171.html For a kind of index SOL to the other SSL/TLS SOLs: https://support.f5.com/kb/en-us/solutions/public/8000/800/sol8802.html