Forum Discussion
10 Replies
- mo_99289Historic F5 AccountDon't think bigip can support that May I know the cipher and the version of F5?
- pcr654_224362NimbostratusThank you for answering. we are using version 11.6, but we have a list of ciphers. An example is TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
- awilhelmEmployee
The short answer is no, but from your comment above I don't think that answers your question.
There are two different ways of naming ciphers, the way they're named by IANA and RFCs and the way they're named by OpenSSL. F5 TMOS uses OpenSSL format for its cipher string. You can tell them apart because the RFC format usually uses underscores and the OpenSSL format uses hyphens. To translate between them you should refer to the OpenSSL ciphers manual page.
For example, for
:TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHE-ECDSA-AES256-SHA384
From SOL13163 we can see that
is supported in 11.6.0.ECDHE-ECDSA-AES256-SHA384
Note that above I changed ECDH in the RFC name to ECDHE. F5 software only supports ephemeral Diffie-Hellman, which is indicated by the E.
- pcr654_224362NimbostratusThank you for your response this was very helpful. But Just to clearify, even though the OpenSSL format does not mention CBC in the string, it is still the same as the RFC?
- awilhelmEmployeeIt is. OpenSSL tends to elide certain things in their names - for example, if no auth method is specified it's usually RSA (same for key agreement), and if an OpenSSL string just says AES it implies CBC.
- pcr654_224362NimbostratusThank you very much. That helped a lot.
- Amy_123193Historic F5 Account
The short answer is no, but from your comment above I don't think that answers your question.
There are two different ways of naming ciphers, the way they're named by IANA and RFCs and the way they're named by OpenSSL. F5 TMOS uses OpenSSL format for its cipher string. You can tell them apart because the RFC format usually uses underscores and the OpenSSL format uses hyphens. To translate between them you should refer to the OpenSSL ciphers manual page.
For example, for
:TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHE-ECDSA-AES256-SHA384
From SOL13163 we can see that
is supported in 11.6.0.ECDHE-ECDSA-AES256-SHA384
Note that above I changed ECDH in the RFC name to ECDHE. F5 software only supports ephemeral Diffie-Hellman, which is indicated by the E.
- pcr654_224362NimbostratusThank you for your response this was very helpful. But Just to clearify, even though the OpenSSL format does not mention CBC in the string, it is still the same as the RFC?
- Amy_123193Historic F5 AccountIt is. OpenSSL tends to elide certain things in their names - for example, if no auth method is specified it's usually RSA (same for key agreement), and if an OpenSSL string just says AES it implies CBC.
- pcr654_224362NimbostratusThank you very much. That helped a lot.