pcr654_224362
Nimbostratus
Nimbostratussupported ciphers list
Can I use a cipher that is not on the supported ciphers list for my version of F5
Forum Discussion
10 Replies
- Don't think bigip can support that May I know the cipher and the version of F5?
pcr654_224362Thank you for answering. we are using version 11.6, but we have a list of ciphers. An example is TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
awilhelmEmployee
The short answer is no, but from your comment above I don't think that answers your question.
There are two different ways of naming ciphers, the way they're named by IANA and RFCs and the way they're named by OpenSSL. F5 TMOS uses OpenSSL format for its cipher string. You can tell them apart because the RFC format usually uses underscores and the OpenSSL format uses hyphens. To translate between them you should refer to the OpenSSL ciphers manual page.
For example, for
:TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHE-ECDSA-AES256-SHA384From SOL13163 we can see that
is supported in 11.6.0.ECDHE-ECDSA-AES256-SHA384Note that above I changed ECDH in the RFC name to ECDHE. F5 software only supports ephemeral Diffie-Hellman, which is indicated by the E.
- pcr654_224362Thank you for your response this was very helpful. But Just to clearify, even though the OpenSSL format does not mention CBC in the string, it is still the same as the RFC?
- awilhelmIt is. OpenSSL tends to elide certain things in their names - for example, if no auth method is specified it's usually RSA (same for key agreement), and if an OpenSSL string just says AES it implies CBC.
- pcr654_224362Thank you very much. That helped a lot.
The short answer is no, but from your comment above I don't think that answers your question.
There are two different ways of naming ciphers, the way they're named by IANA and RFCs and the way they're named by OpenSSL. F5 TMOS uses OpenSSL format for its cipher string. You can tell them apart because the RFC format usually uses underscores and the OpenSSL format uses hyphens. To translate between them you should refer to the OpenSSL ciphers manual page.
For example, for
:TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHE-ECDSA-AES256-SHA384From SOL13163 we can see that
is supported in 11.6.0.ECDHE-ECDSA-AES256-SHA384Note that above I changed ECDH in the RFC name to ECDHE. F5 software only supports ephemeral Diffie-Hellman, which is indicated by the E.
- pcr654_224362Thank you for your response this was very helpful. But Just to clearify, even though the OpenSSL format does not mention CBC in the string, it is still the same as the RFC?
- It is. OpenSSL tends to elide certain things in their names - for example, if no auth method is specified it's usually RSA (same for key agreement), and if an OpenSSL string just says AES it implies CBC.
- pcr654_224362Thank you very much. That helped a lot.
