I have a requirement to prefer some server cipher suites over others (server's preference) in one of the LTM VS we use. I used a custom Cipher Suite in my Client-SSL Profile and set the "Cipher server preference" options. The F5, however, seems to ignore this option and the cipher that wins the selection is always the one on top of the Client's list. To demonstrate the issue, I used openssl s_client (below) with ssldump on the F5. I found few articles suggesting that this option is a known troublemaker, but all of it seem to describe an opposite issue: people have problems to force the Client list to be used (client's preferences).
I'm running BIG-IP LTM 18.104.22.168 on 4200v platform.
openssl s_client -connect S.S.S.S:443 -cipher 'AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384'
F5 ssldump output:
New TCP connection #1: C.C.C.C(35587) <-> S.S.S.S(443)
1 1 0.0005 (0.0005) C>S Handshake
1 2 0.0005 (0.0000) S>C Handshake
56 bc f9 f6 ea 40 ac 1b be 04 ea 8c d0 09 d4 22
bc a4 43 96 f5 43 f6 ba bf 02 2c d0 a2 99 24 33
openssl s_client -connect S.S.S.S:443 -cipher 'ECDHE-RSA-AES256-GCM-SHA384:AES128-GCM-SHA256'
F5 ssldump output:
New TCP connection #2: C.C.C.C(18415) <-> S.S.S.S(443)
2 1 0.0004 (0.0004) C>S Handshake
2 2 0.0015 (0.0011) S>C Handshake
9a 30 dc 8b 6e f5 d0 ee 83 f9 11 b5 d5 3d 78 77
e2 f5 58 57 65 5b 52 33 64 1e 88 fc a6 cd c8 87
Any idea on how to force the server's preference would be highly appreciated.
Interesting, I couldn't find a bug fix article for your version though, but i know that beginning in v15, this feature is being taken out completely, so that it honors servers cipher suite preference.
I think you may need an engineering hotfix for your current version or go with an upgraded version.
Try to open a support case to get confirmation from F5 Support partners.
thanks for confirmation. In the meantime I checked the exact same stuff on my VE LAB with the same version and there it works as expected.
Going to open a support case as you suggested.
We found out that this behavior happens if using HTTP/2 profile. Once we removed it, the ciphers suites are selected based on the server's list. We are still trying to figure out how to make this work with the HTTP/2 profile in place.
thank you for reporting back