I loaded the latest version (BIGIP-14.1.0.1-0.0.7.iso) on our lab.
The openssl version on that release is "OpenSSL 1.0.2o-fips 27 Mar 2018".
Does that version of openssl include the final standard RFC for TLSv1.3?
According to openssl's website:
https://www.openssl.org/blog/blog/2018/09/11/release111/
"Since 1.1.1 is our new LTS release we are strongly advising all users to upgrade as soon as possible. For most applications this should be straight forward if they are written to work with OpenSSL 1.1.0. Since OpenSSL 1.1.0 is not an LTS release it will start receiving security fixes only with immediate affect as per our previous announcement and as published in our release strategy. It will cease receiving all support in one years time.
Our previous LTS release (OpenSSL 1.0.2) will continue to receive full support until the end of this year. After that it will receive security fixes only. It will stop receiving all support at the end of 2019. Users of that release are strongly advised to upgrade to OpenSSL 1.1.1.
The OpenSSL team will now be moving our focus to the next release which will see us developing a new FIPS module."
[root@bigip1:Active:Standalone] config openssl version -a
OpenSSL 1.0.2o-fips 27 Mar 2018
built on: reproducible build, date unspecified
platform: linux-x86_64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -I/home/f5cm/cm/bigip14.1.0.1/1082522/f5_build/devfs_x86_64/usr/include -DOPENSSL_NO_EC2M -Werror -m64 -O3 -DL_ENDIAN -Wall -fdebug-prefix-map=/home/f5cm/cm/bigip14.1.0.1/1082522/f5_build/devfs_x86_64/usr=/usr -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DG**text**HASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/etc/pki/tls"
engines: dynamic tm_crypto rdrand
Nimbostratus
