Cipher Suites on F5

Listing Supported Suites and Ciphers

# default sane ciphers in 2023
# single quotes are required when negating a suite
tmm --clientciphers 'DEFAULT:!RC4:!SSLv3:!TLSv1:!3DES:!AES128-SHA:!AES128-SHA256:!ECDHE-RSA-AES128-CBC-SHA:!ECDHE-RSA-AES128-SHA256:!TLSv1_1:!RSA:!DHE'

You can use ciphersuite.info, testssl.sh, or Mozilla’s Cipher Suite pages to convert names between IANA, GnuTLS, NSS, and OpenSSL. Links are in the References below.

Some ciphers are hardware accelerated on F5 hardware. See F5 article K13213 for a list of hardware and which ciphers are eligible for hardware acceleration.

Example

config # tmm --clientciphers 'DEFAULT:!RC4:!SSLv3:!TLSv1:!3DES:!AES128-SHA:!AES128-SHA256:!ECDHE-RSA-AES128-CBC-SHA:!ECDHE-RSA-AES128-SHA256:!TLSv1_1:!RSA:!DHE'
       ID  SUITE                            BITS PROT    CIPHER              MAC     KEYX
 0: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  AES-GCM             SHA256  ECDHE_RSA
 1: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  AES-GCM             SHA384  ECDHE_RSA
 2: 49172  ECDHE-RSA-AES256-CBC-SHA         256  DTLS1   AES                 SHA     ECDHE_RSA
 3: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  AES                 SHA     ECDHE_RSA
 4: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  AES                 SHA384  ECDHE_RSA
 5: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  AES-GCM             SHA256  ECDHE_ECDSA
 6: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.2  AES                 SHA     ECDHE_ECDSA
 7: 49187  ECDHE-ECDSA-AES128-SHA256        128  TLS1.2  AES                 SHA256  ECDHE_ECDSA
 8: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  AES-GCM             SHA384  ECDHE_ECDSA
 9: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.2  AES                 SHA     ECDHE_ECDSA
10: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  AES                 SHA384  ECDHE_ECDSA
11:  4865  TLS13-AES128-GCM-SHA256          128  TLS1.3  AES-GCM             NULL    *
12:  4866  TLS13-AES256-GCM-SHA384          256  TLS1.3  AES-GCM             NULL    *

---

References

• F5 - K86554600 - SSL ciphers supported on BIG IP platforms
• F5 K13213: SSL algorithms that are hardware accelerated
• https://ciphersuite.info
• https://wiki.mozilla.org/Security/Cipher_Suites
• https://testssl.sh/openssl-iana.mapping.html