Bug ID 602568: Updated Default Ciphersuite Group

Last Modified: Apr 19, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6

Fixed In:
13.0.0

Opened: Jul 01, 2016
Severity: 3-Major

Symptoms

Changes were made to DEFAULT in LTM SSL profiles in order to improve SSL ciphersuite group selection. When "DEFAULT" group is used, the following changes have been made. Original Default Ciphersuite Group RSA+DH RSA RSA+ECDH Original Default + ECDHE_ECDSA RSA+DH RSA RSA+ECDH ECDSA+ECDH Update to: "DEFAULT" will contain ciphersuites in the following categories in this order in the BIG-IP system's view: RSA+ECDH RSA ECDSA+ECDH RSA+DH In addition, each category will be sorted by speed with AES-128-equivalent as the minimum strength (commonly referred to as "128-bit security strength").

Impact

Changes were made to DEFAULT in LTM SSL profiles in order to improve SSL ciphersuite group selection when "DEFAULT" group is used.

Conditions

This is the new default in this release.

Workaround

None. This is cosmetic.

Fix Information

"DEFAULT" contains ciphersuites in the following categories in this order in the BIG-IP system's view: RSA+ECDH RSA ECDSA+ECDH RSA+DH In addition, each category will be sorted by speed with AES-128-equivalent as the minimum strength (commonly referred to as "128-bit security strength").

Behavior Change

Changes were made to DEFAULT in LTM SSL profiles in order to improve SSL ciphersuite group selection. When "DEFAULT" group is used, the following changes have been made. Original Default Ciphersuite Group RSA+DH RSA RSA+ECDH Original Default + ECDHE_ECDSA RSA+DH RSA RSA+ECDH ECDSA+ECDH Update to: "DEFAULT" will contain ciphersuites in the following categories in this order in the BIG-IP system's view: RSA+ECDH RSA ECDSA+ECDH RSA+DH In addition, each category will be sorted by speed with AES-128-equivalent as the minimum strength (commonly referred to as "128-bit security strength").