Forum Discussion

Akhilesh_128432's avatar
Akhilesh_128432
Icon for Nimbostratus rankNimbostratus
Feb 16, 2016

F5 upgrade

Hi Team,

 

we have two F5 in our Environment, one on version 11.3.0 and another on 11.4.0.

 

Due to POODLE Vulnerability issues we have redesigned our application and application is supporting only TLSV1.2 protocol now. since due to this all our ciphers have changed and now we need to get these ciphers in F5.

 

Following are the ciphers we added in our application,

 

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256,SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256,SSL_DHE_RSA_WITH_AES_128_CBC_SHA256,SSL_DHE_DSS_WITH_AES_128_CBC_SHA256,SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA,SSL_ECDH_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_AES_128_CBC_SHA

 

so now i am planning to upgrade on version 11.6.0 or 12.0.0. Could you please tell me which is the stable version i can use. on which F5 software i will get all these above ciphers?

 

Appreciate your response on this.

 

-Akhilesh

 

1 Reply

  • Please refer to SOL13163 for a list of ciphers supported in each version

    Information about Poodle is available in SOL15702, and neither 11.6.0 nor 12.0.0 are vulnerable to it, though your webserver would be negotiating SSL directly with the client if the virtual server type is FastL4 (aka performance)

    You can verify what your cipher string would select by asking tmm, using --clientciphers, as below:

    Note that you must use single quotes to enclose the cipher string if your string contains a ! character, to prevent the shell from interpreting it.

     tmm --clientciphers 'AES:!SHA'
           ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
     0: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA
     1: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES       SHA384  ECDHE_ECDSA
     2:   107  DHE-RSA-AES256-SHA256            256  TLS1.2  Native  AES       SHA256  EDH/RSA
     3:   106  DHE-DSS-AES256-SHA256            256  TLS1.2  Native  AES       SHA256  DHE/DSS
     4: 49194  ECDH-RSA-AES256-SHA384           256  TLS1.2  Native  AES       SHA384  ECDH_RSA
     5: 49190  ECDH-ECDSA-AES256-SHA384         256  TLS1.2  Native  AES       SHA384  ECDH_ECDSA
     6:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA
     7: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA
     8: 49187  ECDHE-ECDSA-AES128-SHA256        128  TLS1.2  Native  AES       SHA256  ECDHE_ECDSA
     9:   103  DHE-RSA-AES128-SHA256            128  TLS1.2  Native  AES       SHA256  EDH/RSA
    10:    64  DHE-DSS-AES128-SHA256            128  TLS1.2  Native  AES       SHA256  DHE/DSS
    11: 49193  ECDH-RSA-AES128-SHA256           128  TLS1.2  Native  AES       SHA256  ECDH_RSA
    12: 49189  ECDH-ECDSA-AES128-SHA256         128  TLS1.2  Native  AES       SHA256  ECDH_ECDSA
    13:    60  AES128-SHA256                    128  TLS1.2  Native  AES       SHA256  RSA