Last Modified: Sep 13, 2023
17.1.0, 126.96.36.199, 16.1.3
Opened: Feb 21, 2022 Severity: 3-Major
TLS ciphersuites including RSA KEX are non-approved ciphers as per FIPS 140-3 certification standard
SSL handshake will not be successful.
- BIG-IP versions 16.1.3 and above - FIPS 140-3 license is installed on BIG-IP or its a FullBoxFIPS device. - f5-fips cipher-group is associated with SSL profiles - Connections are established using the RSA-KEX based ciphers
Create a custom cipher-group including all the required cipher strings and associate with the SSL profiles.
For FIPS 140-3 certification, TLS ciphersuites including RSA-KEX are reported as non-approved ciphers in fips mode, also these cipher strings have been removed from the f5-fips cipher group.