Forum Discussion

aaperson_255899's avatar
aaperson_255899
Icon for Nimbostratus rankNimbostratus
Mar 11, 2019
Solved

changing DEFAULT ciphers v14.x

In version 14.x, will be adding ciphers to the DEFAULT ciphers list to give traffic a way to communicate between the F5 LTM and real servers. (Have done the research discovered LTM and real servers weren't communicating because they had no ciphers in common. Planning on adding about 40 additional secure ciphers that the real servers are trying to use.)

 

I can't use a clientSSL or clientSSL/serverSSL profile because Performance Layer 4 with FastL4 doesn't allow SSL profiles. Using a Standard server is not an option.

 

What is the best way to do this? and will this work?

 

Thx

 

application delivery
BIG-IP
ciphers
LTM
performance layer4
ssl
Super-NetOps
version 14.x
  • Jason_Cohen_417's avatar
    Jason_Cohen_417
    Mar 11, 2019

    If you are using a PerfomanceL4/FastL4 Virtual Server, the BIGIP is not communicating TLS with the back end servers. The BIGIP in this case would be passing TCP traffic through from the client directly to the server. The TLS handshake would not involve the BIGIP so any changes to cipher lists on the BIGIP would be irrelevant.

     

3 Replies

Sort By
  • Jason_Cohen_417's avatar
    Jason_Cohen_417
    Historic F5 Account
    Mar 11, 2019

    If you are using a PerfomanceL4/FastL4 Virtual Server, the BIGIP is not communicating TLS with the back end servers. The BIGIP in this case would be passing TCP traffic through from the client directly to the server. The TLS handshake would not involve the BIGIP so any changes to cipher lists on the BIGIP would be irrelevant.

     

    • aaperson_255899's avatar
      aaperson_255899
      Icon for Nimbostratus rankNimbostratus
      Mar 11, 2019

      What would be relevant to the lack of communication? Thanks for your quick response!

       

    • Jason_Cohen_417's avatar
      Jason_Cohen_417
      Historic F5 Account
      Mar 11, 2019

      Your statement about lack of ciphers in common. If that is an error you are getting on either the client or the server, then that is where the lack of common ciphers exists. Since the handshake is done from client to back-end server and doesn't involve the BIGIP, you will need to modify the ciphers available on either the client or the back-end server. If that is not the issue, the question is much more broad than the information you've provided.