Last Modified: Oct 16, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0
Opened: Apr 02, 2015 Severity: 3-Major
Ciphersuite sets, such as DEFAULT or COMPAT, are dynamic sets, reflecting the set of ciphersuites that F5 considers optimal based on multiple criteria, such as security, performance, interoperability. In the current release COMPAT is empty by default, i.e. clientssl-ciphers "compat" returns an empty set. There are ciphers in COMPAT that can be enabled by administrators. F5 intends to deprecate COMPAT set in the future in favour of NATIVE. NATIVE is currently the DEFAULT.
Some ciphersuites were removed from COMPAT. If the serverssl profile was using e.g. "COMPAT+RC4-MD5", the administrator will need to adjust the cipherstring, e.g. with "SSLv3+RC4-MD5", in which case it will be provided through the NATIVE subset. NATIVE is the DEFAULT subset of ciphersuites. F5 recommends that the subset of ciphersuites configured on the server is reviewed periodically, as ciphersuites get weaker and client preferences change. The product upgrade to a major release is a good opportunity for such a review.
COMPAT keyword is used in the cipherstring in clientssl or serverssl profile.
Adjustment to the ciphersuite string may be needed.
None