BIG-IP SSL Cipher History

John Hall, the fuzz-master at F5, put together this handy spreadsheet showing the SSL cipher suite support sets for F5 BIG-IP software releases over the years.

 

At the time of this writing, most BIG-IPs in the wild are somewhere between 11.2 and 11.4. But there are, and probably will always be, customers running versions as old as 10.2.4.

 

The green arrows indicate support in the NATIVE SSL stack. The NATIVE stack is F5’s custom SSL code. Most of the ciphers are offloaded to hardware when acceleration is available. Though some of them, such as the GCM suites, are only handled in software at this time.

 

The red arrows indicate support in the COMPAT stack. The COMPAT stack pulls in the OpenSSL processing code. Typically this is only used for legacy clients that can only talk to OpenSSL. These are few and far between and thus the COMPAT stack is very rarely seen in the wild (less than 1%).

 

Anyway, this is a handy eye-chart for research or provisioning for BIG-IP and SSL.
 

Published May 06, 2015
Version 1.0
BIG-IP
security
ssl

Was this article helpful?

3 Comments

Sort By
  • Amit_Karnik_269's avatar
    Amit_Karnik_269
    Icon for Nimbostratus rankNimbostratus
    May 13, 2015
    This is good stuff. If you also add how the "DEFAULT" cipher string has evolved across the versions, that will be awesome.
  • MegaZone's avatar
    MegaZone
    Icon for SIRT rankSIRT
    May 26, 2015
    Amit: The DEFAULT ciphers by version are here: https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html And if you want to know exactly what the 'DEFAULT' keyword decodes to internally, see: https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171.html For a kind of index SOL to the other SSL/TLS SOLs: https://support.f5.com/kb/en-us/solutions/public/8000/800/sol8802.html