Bug ID 1082505: TLS ciphersuites including RSA-KEX are non-approved ciphers for FIPS 140-3 certification

Last Modified: Aug 04, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 17.0.0

Fixed In:
17.0.0.1, 16.1.3

Opened: Feb 21, 2022
Severity: 3-Major

Symptoms

TLS ciphersuites including RSA KEX are non-approved ciphers as per FIPS 140-3 certification standard

Impact

SSL handshake will not be successful.

Conditions

- BIG-IP versions 16.1.3 and above - FIPS 140-3 license is installed on BIG-IP or its a FullBoxFIPS device. - f5-fips cipher-group is associated with SSL profiles - Connections are established using the RSA-KEX based ciphers

Workaround

Create a custom cipher-group including all the required cipher strings and associate with the SSL profiles.

Fix Information

For FIPS 140-3 certification, TLS ciphersuites including RSA-KEX are reported as non-approved ciphers in fips mode, also these cipher strings have been removed from the f5-fips cipher group.

Behavior Change