Learn
Network and security concepts, explained clearly.
Practical explanations of the concepts behind the tools. Each article is written to build genuine understanding, not just to define a term.
Certificates & PKI
Anatomy of an X.509 Certificate
What lives inside a TLS certificate, how the ASN.1/DER bytes are structured, what the v3 extensions actually control, and why decoding a certificate is not the same as trusting it.
ReadPEM, DER, and the certificate file formats
Why the same certificate comes in so many file shapes, what PEM and DER actually are, and what .crt, .pem, .pfx, and .p12 really hold.
ReadCertificate signing requests and how certificates are issued
What a CSR contains, why your private key never leaves your machine, how a CA validates and issues, and how ACME automates the whole exchange.
ReadCertificates, Keys, and Chain Building in an SSL Profile
A client-ssl profile binds a server certificate to its private key and, crucially, to a chain bundle that lets clients build a path to a trusted root. The modern cert-key-chain construct also lets one profile serve several certificate types, picked per client — the foundation of RSA-plus-ECDSA and SNI deployments.
ReadHow certificate validation actually works
The steps a client runs to decide a certificate is trustworthy: building the chain, checking signatures and dates, matching the name, and enforcing constraints.
ReadCertificate revocation: CRL, OCSP, and short-lived certificates
Why a certificate sometimes needs to be cancelled before it expires, why the classic revocation systems work poorly, and why the industry is shrinking certificate lifetimes instead.
ReadMutual TLS with peer-cert-mode
Most TLS proves the server to the client. Mutual TLS also proves the client to the server, and on a BIG-IP that is the job of peer-cert-mode plus a trusted-CA bundle. The gap to watch is the difference between requesting a client certificate and actually requiring and validating one.
ReadAuthority Information Access: The OCSP and CA Issuers URLs
The AIA extension carries two kinds of pointer: where to ask whether a certificate is revoked (OCSP) and where to fetch the issuer's own certificate (CA Issuers). What each is for, why they are easy to confuse, and what the inspector shows.
ReadOCSP Must-Staple: Closing the Soft-Fail Gap
Real-time OCSP checking has a fatal weakness: when the responder is unreachable, clients usually proceed anyway. OCSP stapling and the Must-Staple flag are the fix. What the TLS Feature extension declares, and the operational risk it carries.
ReadThe 47-day era: how TLS certificate lifetimes are shrinking
The CA/Browser Forum's SC-081v3 schedule takes maximum public TLS validity from 398 days down to 47 by 2029, in three steps. What the phases are, why 47, and what it does to renewal volume.
ReadCertificate validity windows: notBefore, notAfter, and renewal lead time
How a certificate's lifetime is defined by two timestamps, how that length is measured against the cap, why validity is not the same as time remaining, and how to choose a renewal lead time.
ReadDCV and SII reuse: the validation cadence behind the renewal cadence
Issuing a certificate means proving domain control and, for OV/EV, organization identity. SC-081v3 shrinks how long those proofs can be reused — DCV to 10 days by 2029 — which reshapes renewal as much as validity does.
ReadRenewing before expiry: lead time, ACME, and ARI
Why late renewal causes outages, how ACME automates issuance and renewal, how the ARI extension lets a CA steer the renewal window, and how to pick a lead time that leaves room to retry.
ReadPublic vs private PKI: which certificates SC-081v3 governs
The 47-day schedule binds publicly trusted TLS certificates only. What separates public from private PKI, why internal CAs are exempt, and how to read the planner's compliance verdict for an internal certificate.
Read
Encoding & data
Bytes, code points, and UTF-8
The difference between a character and a byte, why Unicode and UTF-8 exist, and what that has to do with Base64.
ReadJSON vs YAML: What Converts Cleanly and What Does Not
YAML was designed so that every JSON document is also valid YAML, which is why conversion between them usually just works. The interesting part is the edges: comments, anchors, multiple documents, and YAML-only types that have no JSON equivalent.
ReadThe Anatomy of a URL
Every URL is built from the same handful of parts defined by RFC 3986: scheme, authority (userinfo, host, port), path, query, and fragment. What each part means, how a parser tells them apart, and where the boundaries actually fall.
ReadThe JSON Grammar: Six Types and a Few Strict Rules
JSON is smaller than it looks. The whole format is six value types and a handful of structural characters, governed by rules that are stricter than most people remember: no comments, no trailing commas, and keys that must be quoted strings.
ReadWhat Unix Time Actually Is
Unix time is a single integer: the number of seconds since 1970-01-01T00:00:00Z, the epoch. It is time-zone independent, compact, and sortable, which is why it underpins almost every system clock, log line, and API timestamp. Converting it to a calendar date is pure arithmetic.
ReadBase64 and Base64URL, explained
How binary data becomes safe-to-transmit text, why padding exists, and what changes in the URL-safe variant.
ReadJSON Numbers and the Precision Trap
JSON puts no limit on the size or precision of a number, but most parsers quietly convert every number to a 64-bit float. That mismatch silently corrupts large integers and exact decimals, which is why a formatter should preserve the original digits.
ReadQuery Strings: Parameters, Plus Signs, and Repeated Keys
The part of a URL after the question mark looks simple but hides real ambiguity: how parameters are separated, why a plus sign sometimes means a space, how repeated keys behave, and why there is no single governing standard.
ReadSeconds, Milliseconds, Microseconds, Nanoseconds: Telling Epoch Units Apart
The same instant can be written as 1700000000, 1700000000000, or larger, depending on whether the timestamp counts seconds, milliseconds, microseconds, or nanoseconds. Mixing them up is a classic bug. You can almost always tell which is which from the number's magnitude.
ReadYAML Type Coercion and the Norway Problem
YAML guesses the type of every unquoted scalar, and its guesses are surprising: the country code NO becomes false, a version like 1.0 becomes a number, and a zero-padded code loses its zeros. Knowing the rule is the key to safe conversion.
ReadBase64URL and the URL-safe alphabet
Why JWTs and PKCE use a different Base64 alphabet, the two characters that change, and what happens to the padding.
ReadDuplicate Keys in JSON: Legal, Dangerous, and Worth Catching
JSON syntax allows the same key to appear more than once in an object, but the specification does not say what that means. Different parsers resolve it differently, which makes duplicate keys a quiet source of bugs and even security issues.
ReadJSON and YAML in Practice: APIs, Declarations, and Orchestration
The split is not random: APIs and machine-to-machine declarations tend to be JSON, while human-authored orchestration and pipeline files tend to be YAML. Understanding why each domain chose what it did explains when converting between them is useful.
ReadThe Year 2038 Problem
A signed 32-bit integer can count seconds only up to 2147483647, which falls on 2038-01-19T03:14:07Z. One second later it overflows and wraps to a negative number, throwing affected systems back to 1901. It is Y2K's quieter successor, and the fix is a wider integer.
ReadURL Encoding and Internationalized Hosts
URLs are restricted to a small set of ASCII characters, so everything else is encoded. Percent-encoding handles paths and queries; punycode handles non-ASCII host names. How both work, and why internationalized hosts are a phishing concern.
ReadISO 8601, RFC 3339, and the HTTP Date
Once a Unix timestamp is turned back into a human date, it gets written in one of a few standard text formats. ISO 8601 is the broad standard, RFC 3339 is its strict internet profile, and the HTTP date is the odd one out. Knowing the difference saves a lot of parsing grief.
ReadWhere Base64 shows up: data URIs, MIME, PEM, and Basic auth
The real places binary gets wrapped in text, the size cost of doing it, and why Base64 in an auth header is not encryption.
ReadBase32, explained
Why Base32 trades size for a case-insensitive, unambiguous alphabet, how its 5-bit grouping works, and where it shows up (TOTP secrets, onion addresses, DNS).
ReadWhy Unix Time Ignores Leap Seconds
UTC occasionally inserts a leap second to stay aligned with the Earth's rotation, but Unix time pretends every day is exactly 86,400 seconds long. That deliberate simplification means a Unix timestamp is not a true count of elapsed seconds since the epoch — and it is the right trade-off for civil time.
ReadHexadecimal encoding (Base16), explained
How hex represents each byte as two characters, why it is the default way to print raw bytes, and how it compares to Base64 and Base32.
ReadPercent-encoding (URL encoding), explained
Why URLs escape certain characters as %XX, which characters are safe to leave alone, and how percent-encoding differs from Base64.
ReadBase16, Base32, Base64, and percent-encoding compared
A side-by-side look at the four text encodings: their alphabets, size overhead, readability, and when to reach for each.
ReadHow text diff works
A diff finds the smallest set of insertions and deletions that turns one text into another. Underneath is the longest common subsequence: the lines both versions share, in order, form the unchanged backbone, and everything else is an add or a remove.
ReadReading a diff
How to read a line-by-line diff: unchanged, added, and removed lines, the plus and minus markers, both sides' line numbers, inline word highlighting, and what ignore-whitespace and ignore-case actually change. Plus the things a diff cannot tell you.
Read
Hashing & crypto
Hashing, encryption, and encoding: three different things
Three operations that get constantly confused, separated cleanly by two questions: is it reversible, and does it need a key?
ReadCryptographic hashing: SHA-256 and the SHA-2 family
What a hash function guarantees, the properties that make it cryptographic, and why a digest is not encryption.
ReadChoosing a hash: MD5, SHA-1, SHA-2, SHA-3, and BLAKE
Which hash functions are still safe, which are broken, what their output sizes are, and how to pick the right one.
ReadCollisions, preimage resistance, and the birthday bound
The three security properties a cryptographic hash must have, why collisions matter, and the birthday math that sets the real strength.
ReadStoring passwords: bcrypt, scrypt, and Argon2
Why a fast hash like SHA-256 is the wrong tool for passwords, and what salting and work factors actually do.
ReadHMAC: keyed hashing for message authentication
Why a plain hash proves integrity but not authenticity, how a secret key fixes that, and why HMAC's structure matters.
ReadWhy HMAC, and not hash(key + message)
The length-extension attack that breaks naive keyed hashing, and the nested construction HMAC uses to defeat it.
ReadAuthenticating API requests with HMAC
How a shared secret and a hash let a server trust a request it did not see being made, and how replay protection fits in.
ReadVerifying an HMAC safely: constant-time and replay
Why comparing signatures with == leaks a timing side channel, and why a valid signature alone does not stop a replayed request.
Read
Identifiers
UUIDs: random v4 and time-ordered v7
How a 128-bit identifier stays unique without a central authority, and why v7 is becoming the default for database keys.
ReadUUID versions explained: v1 through v8
The whole UUID family in one place, from time-and-MAC v1 to random v4 to time-ordered v7, plus the name-based versions and how the version and variant bits are read.
ReadWill UUIDs collide? Probability and the birthday bound
How many random bits a UUID actually has, the birthday math for a collision, and when you want deterministic UUIDs instead.
ReadUUIDs as database keys: v4, v7, and index locality
The real trade-off between UUIDs and auto-increment integers, and why random v4 keys quietly hurt database performance.
ReadULID, KSUID, Snowflake, and other sortable IDs
The popular alternatives to UUIDs for time-ordered identifiers, how each is built, and why UUIDv7 now covers most of what they were invented for.
Read
Identity & tokens
Anatomy of a JSON Web Token
The three segments of a JWT, how the signature makes it trustworthy, and why decoding a token is not the same as verifying it.
ReadJWKS and Key Rotation: How Providers Publish Their Keys
A JWKS is the public phone book of signing keys that an identity provider publishes so anyone can verify its tokens. Understanding the keys array, the kid that names each key, and why a provider keeps more than one key at a time is the foundation of token verification.
ReadOpenID Connect: An Identity Layer on OAuth 2.0
What OpenID Connect adds to OAuth 2.0, the ID token at the center of it, the relying party and provider roles, how the authorization code flow delivers an ID token, and why an ID token is just a JWT you can decode and read.
ReadJWK Key Types: RSA, EC, OKP, and oct
Every JSON Web Key declares a kty, and that one field decides which parameters the key carries. Four types cover almost everything you will meet: RSA, elliptic curve, the Edwards and Montgomery curves, and the symmetric octet sequence. The crucial split in all of them is public versus private.
ReadJWT signing algorithms: HMAC, RSA, and ECDSA
Why a JWT's alg header matters, the difference between symmetric and asymmetric signing, and how to choose.
ReadThe ID Token Claims, and What a Relying Party Checks
The claims inside an OIDC ID token: the required iss, sub, aud, exp, and iat; the nonce that stops replay; azp when there are multiple audiences; acr and amr for authentication strength; auth_time; and the at_hash and c_hash binding claims, with the validation a relying party performs on each.
ReadJWT security pitfalls: alg:none, key confusion, and missing checks
The handful of mistakes that turn a JWT verifier into a forgery machine, and the validation a correct verifier must perform.
ReadOIDC vs OAuth 2.0: Authentication vs Authorization
Why OAuth 2.0 is about authorization and OpenID Connect is about authentication, the difference between an access token and an ID token, why using plain OAuth as a login mechanism is a known antipattern, and how to tell which token is which.
ReadVerifying a JWT with a JWKS: From kid to Signature
Verifying a signed token is a short, strict sequence: read the header, find the key whose kid matches in the provider's JWKS, confirm the algorithm, and check the signature. Each step has a classic pitfall, and skipping the strictness is how verification bypasses happen.
ReadAccess tokens, refresh tokens, and ID tokens
Three OAuth and OpenID Connect tokens that get constantly confused, what each is actually for, and why sending the wrong one to the wrong place is a real bug.
ReadOIDC Discovery: The openid-configuration Document
How the .well-known/openid-configuration document lets a relying party learn a provider's endpoints and capabilities automatically, what the issuer, jwks_uri, and signing-algorithm fields mean, why advertising the none algorithm is dangerous, and why PKCE S256 support matters.
ReadPublic vs confidential clients, and where PKCE fits
Whether an OAuth client can keep a secret decides its whole security model. Why SPAs and mobile apps are public clients, and why PKCE is now recommended for all of them.
ReadThe OAuth 2.0 authorization code flow
The four roles, the redirect-and-exchange dance, and why the code is swapped for a token on the back channel.
ReadPKCE: securing the OAuth authorization code flow
The interception attack PKCE defeats, how the verifier and challenge fit together, and why S256 is mandatory.
ReadOpenID Connect: identity on top of OAuth 2.0
How OIDC adds authentication to OAuth's authorization, what the ID token is, and why the code flow with PKCE is the recommended path.
ReadHow TOTP and HOTP one-time passwords work
Both turn a shared secret into a short code that proves possession without sending the secret. HOTP counts events; TOTP counts time. The engine underneath is the same HMAC plus a truncation step.
ReadValidating one-time passwords: drift, windows, and replay
Generating a code is the easy half. Accepting one means tolerating clock drift, bounding the window, rejecting reuse, and throttling guesses, each a tradeoff between usability and security.
Read
Networking
BIG-IP Persistence Methods, and What Each Keys On
BIG-IP offers several persistence methods, and the only thing they have in common is the goal: send a returning client to the same pool member. What they key on, cookie, source address, SSL session ID, or an iRule-extracted value, decides where each one fits and where each one breaks.
ReadHow IPv4 addresses work
The 32 bits behind every dotted-quad address, and what private, loopback, and special ranges mean.
ReadiRule Event Order: The Connection Lifecycle
iRules are event-driven, and the events fire in a fixed order as the BIG-IP processes a connection: accept the client, finish the client TLS handshake, parse the request, pick a pool member, connect to it, finish the server TLS handshake, send the request, read the response, tear down. Knowing that order is the difference between an iRule that works and one that errors.
ReadThe Anatomy of a bigip.conf File
Every object in a BIG-IP configuration follows the same shape: a module, a component, an optional type, a name, and a brace-delimited body. Once you can see that pattern, a wall of tmsh config becomes a readable tree of virtual servers, pools, monitors, and profiles.
ReadThe Syslog PRI: One Number, Two Meanings
Every syslog message starts with a PRI, a number in angle brackets that packs a facility and a severity into a single value. The formula is small and the arithmetic is easy once you have seen it: PRI equals facility times eight plus severity.
ReadChoosing a Persistence Method (and Its Failure Modes)
Most persistence requirements are met by source address affinity or cookie persistence, but both have well-known failure modes: source affinity collapses behind NAT, and cookies need HTTP. Knowing where each method breaks is what turns a default choice into a deliberate one.
ReadClient Side vs Server Side in iRules
A BIG-IP virtual server is a full proxy: it holds a separate connection to the client and to the pool member. iRule events run in one context or the other, and commands like IP::remote_addr return different things depending on which side you are on. Knowing the boundary prevents a whole class of confusing bugs.
ReadHow a BIG-IP Virtual Server Works
A virtual server is the front door of a BIG-IP. It binds a listening IP and port, applies a stack of profiles, decides persistence, picks a pool member, and translates the source address toward the backend. Reading those pieces in order tells you exactly how a connection will be handled.
ReadSubnetting basics
How to divide one network into smaller subnets, and why borrowing host bits is the whole trick.
ReadSyslog Facilities and Severities, Explained
Syslog defines 24 facilities and 8 severities. The severities are a clean urgency scale from emergency down to debug; the facilities are a mix of genuinely useful categories and historical Unix leftovers, plus eight local slots that network devices lean on heavily.
ReadCIDR notation explained
What the slash in 192.168.1.0/24 actually means, and how a prefix length defines a block of IP addresses.
ReadFallback Persistence and the Match-Across Settings
A virtual server can carry two persistence methods, a primary and a fallback used when the primary finds no record, and three match-across settings that decide how widely a persistence record is shared. Both are easy to misconfigure in ways that only show up under load.
ReadHow LTM Health Monitors Decide Up or Down
A health monitor is the probe a BIG-IP uses to decide whether a backend member can receive traffic. Its send and receive strings, its interval and timeout, and where it is attached together determine how quickly a failure is noticed and how a member is marked down.
ReadSyslog on Network Devices: Which Facility Does What
Firewalls, load balancers, and switches almost all log to the local facilities, but each vendor picks a different default. Knowing that FortiGate defaults to local7, Cisco ASA to local4, and F5 BIG-IP to local0 turns a wall of PRI numbers into a map of which box said what.
ReadiRule Priority and Multiple Rules
Event order governs which events fire and when. The priority command governs something different: when several iRules (or several handlers) listen for the same event, which one runs first. The default priority is 500, lower numbers run earlier, and getting this right matters when one rule's output feeds another.
ReadVLSM: splitting a block into unequal subnets
How to carve one address block into subnets of different sizes without wasting space, and the largest-first rule that keeps it tidy.
ReadA VLSM allocation, worked end to end
A full variable-length subnet allocation for a realistic network: sizing each segment, sorting largest-first, assigning the actual addresses, and accounting for the space left over.
ReadFastL4 vs Standard: Which iRule Events You Get
A Standard virtual server is a full TCP proxy and exposes the rich set of L7 and SSL iRule events. A FastL4 virtual server is a packet-based fast path optimized for throughput, and it deliberately gives up most of those events. Choosing the profile is choosing which events exist.
ReadSupernetting and route aggregation
How contiguous prefixes combine into a shorter one, the alignment rule that decides whether two blocks can merge, and the difference between exact aggregation and a single covering supernet.
ReadWhat Makes an Event Fire: Provisioning and Profiles
An iRule event is only available if two things line up: the module it belongs to is provisioned, and the profile that produces it is attached to the virtual server. Some events need a third ingredient — an explicit collect command. Specify an event whose prerequisites are missing and there is no error; it simply never fires.
ReadRoute summarization
Why one summary route can replace many specific ones, the contiguous and aligned allocation it depends on, and the black-hole risk of summarizing a range you do not fully own.
ReadSubnet overlaps and gaps
What it means for two prefixes to overlap or contain one another, why longest-prefix match makes some overlaps intentional, and how to find the unallocated gaps in an address plan.
ReadPrivate IPv4 address space and RFC 1918
The three private ranges, why they are not routable on the Internet, and the other special blocks the CIDR tool flags.
ReadUnderstanding IPv6 Addressing
How a 128-bit IPv6 address is structured and written, the rules for compressing it canonically, what the address types and scopes mean, and how interface identifiers and reverse DNS work.
ReadHow IPv6 hosts get addresses: SLAAC and DHCPv6
How an IPv6 host configures itself from link-local up, what router advertisements decide, and the difference between SLAAC, privacy addresses, and DHCPv6.
ReadIPv6 subnetting and the /64 boundary
Why IPv6 subnetting is about structure rather than scarcity, why a single subnet is almost always a /64, and how prefix delegation hands out address space.
ReadNeighbor Discovery: how IPv6 replaces ARP
How IPv6 finds neighbors on a link using ICMPv6 and multicast instead of broadcast ARP, the five Neighbor Discovery messages, and why broadcast is gone.
ReadRunning IPv6 and IPv4 together: dual-stack and translation
How the internet bridges two incompatible address families: dual-stack, Happy Eyeballs, NAT64, and the IPv4-embedded addresses that make it work.
Read
Security & WAF
BIG-IP Persistence Cookies: What They Are and Why They Leak
Why an F5 BIG-IP inserts a BIGipServer cookie, what cookie persistence does, what the cookie value actually encodes, and why the default unencrypted form hands an internal address and port to anyone who reads the response.
ReadHTTP Security Headers: The Defense-in-Depth Layer
What HTTP security headers are, why they form a layer of defense on top of secure code rather than a replacement for it, the headers that carry the most weight, and how to read a response's posture at a glance.
ReadRegex Quantifiers and Character Classes
A regular expression is built from two questions: what character do I want, and how many of them? Character classes answer the first, quantifiers answer the second. Get these two right and most of regex falls into place.
ReadSAML 2.0: How Browser SSO Works
What a SAML assertion is, the roles of the identity provider and service provider, the SP-initiated Web Browser SSO flow end to end, and the difference between the HTTP-POST and HTTP-Redirect bindings that carry the messages.
ReadContent Security Policy, Directive by Directive
How CSP works as a control against cross-site scripting and injection: the shape of a policy, why default-src matters, what 'unsafe-inline' and 'unsafe-eval' give away, how nonces and hashes allow specific inline code safely, and what report-only mode is for.
ReadInside a SAML Assertion: Subject, Conditions, and Audience
The anatomy of a SAML assertion: the Subject and NameID formats, bearer SubjectConfirmation and the NotOnOrAfter / Recipient / InResponseTo checks, the Conditions validity window, the AudienceRestriction, and the AuthnStatement, with the validation a service provider must perform on each.
ReadRegex Groups, Backreferences, and Lookarounds
Parentheses do far more than set precedence in a regex. They capture text for you to reuse, name the pieces you care about, and — with a question mark prefix — let you assert what comes before or after without consuming it.
ReadThe Four BIG-IP Cookie Encodings, Byte by Byte
A precise walk through the four unencrypted BIG-IP persistence cookie formats: default IPv4 with its reversed address bytes and byte-swapped port, IPv4 and IPv6 in route domains, and the IPv6 form, each with a worked decode.
ReadCatastrophic Backtracking and ReDoS
Some innocent-looking patterns can take seconds, minutes, or effectively forever on a short string. The cause is catastrophic backtracking, and when an attacker controls the input it becomes a denial-of-service bug. Here is why it happens and how to write patterns that cannot.
ReadHSTS and HTTPS Enforcement
How Strict-Transport-Security closes the HTTP downgrade window, what max-age, includeSubDomains, and preload each do, the trust-on-first-use gap that preloading removes, and the configuration mistakes that quietly disable it.
ReadSAML Signatures and XML-DSig
How a SAML message is signed with XML Signature: the enveloped ds:Signature, the SignatureMethod and DigestMethod algorithms, why SHA-1 is weak, the difference between signing the Response and signing the Assertion, and how XML signature wrapping attacks work.
ReadWhat a BIG-IP Cookie Tells an Attacker
The persistence cookie is a textbook information disclosure: it reveals internal IP addresses, ports, pool size, and route domains to any client. Why that matters for reconnaissance, how scanners harvest it, and how to think about the risk.
ReadClosing the Leak: BIG-IP Cookie Encryption
How to stop a BIG-IP persistence cookie from disclosing internal addresses by encrypting it, what the encrypted value looks like, the related cookie hashing and naming options, and the trade-offs of each.
ReadCookie Security Flags
How Secure, HttpOnly, and SameSite protect session cookies, what each SameSite value means, why SameSite=None requires Secure, and how the __Host- and __Secure- prefixes enforce those guarantees at the browser level.
ReadXXE and Why a SAML Parser Rejects DOCTYPE
How XML External Entity (XXE) attacks work, the billion-laughs denial-of-service, why both depend on a DTD, and why a hardened SAML decoder rejects any DOCTYPE or entity declaration outright rather than trying to parse it safely.
ReadClickjacking and Frame Control
What clickjacking is, how framing makes it possible, the difference between the legacy X-Frame-Options header and the modern CSP frame-ancestors directive, why ALLOW-FROM is obsolete, and how the two controls interact.
Read
TLS & transport
Anatomy of a TLS Cipher Suite
What a TLS cipher suite actually names, how to read a suite like TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 piece by piece, and how the same two-byte code point shows up under three different naming conventions.
ReadClient SSL vs Server SSL Profiles on BIG-IP
A BIG-IP can sit in the middle of a TLS connection and decrypt it. A client-ssl profile makes the BIG-IP the TLS server to the client; a server-ssl profile makes it the TLS client to the pool. Knowing which side each profile owns is the key to offload, bridging, and re-encryption designs.
ReadReading an F5 Cipher String
An F5 cipher string is an ordered list of cipher sets separated by colons, where each set combines keywords with a plus sign and a leading operator can exclude, delete, or de-prioritize. Once you can read the grammar, a dense string like ECDHE:RSA:!SSLv3:@STRENGTH becomes a clear set of instructions.
ReadEnabling and Disabling TLS Versions with the options Field
An SSL profile's options field is a list of flags, and the protocol flags work by SUBTRACTION: a TLS version is offered unless a matching no- flag disables it. That 'disable, not enable' logic is a frequent source of surprise, and it is where TLS 1.0/1.1 hygiene lives.
ReadReading Cipher Suite Names: IANA, OpenSSL, and GnuTLS
Why the same cipher suite has three different names and a two-byte code point, how to translate between the IANA, OpenSSL, and GnuTLS conventions, and what the IANA Recommended column of Y, N, and D actually means.
ReadWhich TLS Cipher Keywords Are Safe, and Which Are Not
The difference between a hardened cipher string and a dangerous one is a handful of keywords. Forward secrecy comes from ECDHE and DHE; the risks come from RC4, 3DES, SSLv3, EXPORT, NULL, and anonymous DH. Knowing the short list lets you read a cipher string's security at a glance.
ReadAEAD vs CBC: Why the Mode Matters
The practical difference between an AEAD cipher like AES-GCM and an older CBC cipher with a separate HMAC, the padding-oracle attacks that killed MAC-then-encrypt, and the one tradeoff AEAD still asks you to make.
ReadF5 Cipher Rules, Cipher Groups, and Why Expansion Is Version-Specific
BIG-IP v13 replaced hand-edited cipher strings with cipher rules and cipher groups, a more readable model where rules hold strings and groups combine them with allow, restrict, and exclude. The final ordered suite list still comes from the per-TMOS cipher database, which is why the same string expands differently across versions.
ReadiRule SSL Handshake Events
The client-SSL and server-SSL profiles add their own iRule events around the TLS handshake. CLIENTSSL_CLIENTHELLO fires before the handshake completes, which is what makes SNI-based profile and pool selection possible; CLIENTSSL_HANDSHAKE fires after. The server-SSL side mirrors them on the connection to the pool.
ReadForward Secrecy and the Key Exchange
What forward secrecy buys you, why static RSA key transport does not provide it, how ECDHE and DHE do, and why authentication and key exchange are two separate jobs that a suite name keeps distinct.
ReadRenegotiation, Secure Renegotiation, and OCSP Stapling
Three SSL profile settings shape the handshake's safety after the first message: renegotiation decides whether a connection may renegotiate at all, secure-renegotiation enforces the RFC 5746 protection, and ocsp-stapling lets the BIG-IP attach a fresh revocation proof so clients need not phone the CA.
ReadTLS 1.3 Cipher Suites: What Changed
Why a TLS 1.3 suite names only a cipher and a hash, where the key exchange and authentication went, and why the list of suites shrank from hundreds to a handful.
Read