Bug ID 602568: Updated Default Ciphersuite Group

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6

Fixed In:
13.0.0

Opened: Jul 01, 2016

Severity: 3-Major

Symptoms

Changes were made to DEFAULT in LTM SSL profiles in order to improve SSL ciphersuite group selection. When "DEFAULT" group is used, the following changes have been made. Original Default Ciphersuite Group RSA+DH RSA RSA+ECDH Original Default + ECDHE_ECDSA RSA+DH RSA RSA+ECDH ECDSA+ECDH Update to: "DEFAULT" will contain ciphersuites in the following categories in this order in the BIG-IP system's view: RSA+ECDH RSA ECDSA+ECDH RSA+DH In addition, each category will be sorted by speed with AES-128-equivalent as the minimum strength (commonly referred to as "128-bit security strength").

Impact

Changes were made to DEFAULT in LTM SSL profiles in order to improve SSL ciphersuite group selection when "DEFAULT" group is used.

Conditions

This is the new default in this release.

Workaround

None. This is cosmetic.

Fix Information

"DEFAULT" contains ciphersuites in the following categories in this order in the BIG-IP system's view: RSA+ECDH RSA ECDSA+ECDH RSA+DH In addition, each category will be sorted by speed with AES-128-equivalent as the minimum strength (commonly referred to as "128-bit security strength").

Behavior Change

Changes were made to DEFAULT in LTM SSL profiles in order to improve SSL ciphersuite group selection. When "DEFAULT" group is used, the following changes have been made. Original Default Ciphersuite Group RSA+DH RSA RSA+ECDH Original Default + ECDHE_ECDSA RSA+DH RSA RSA+ECDH ECDSA+ECDH Update to: "DEFAULT" will contain ciphersuites in the following categories in this order in the BIG-IP system's view: RSA+ECDH RSA ECDSA+ECDH RSA+DH In addition, each category will be sorted by speed with AES-128-equivalent as the minimum strength (commonly referred to as "128-bit security strength").

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips