A cipher is an algorithm for performing encryption or decryption.

Each Virtual Service (that has SSL Acceleration enabled) has a cipher set assigned to it. This can either be the system-defined cipher set or a user-customized cipher set. You can select a system-defined cipher set to quickly and easily select and apply the relevant ciphers.

In the FIPS LoadMaster, there are three system-defined cipher sets; Default, WUI and BestPractices. Each of these cipher sets only contain ciphers that are supported by FIPS.

The list of ciphers in the Default, WUI, and BestPractices cipher set is the same in FIPS mode and is as follows:

  • TLS_AES_256_GCM_SHA384
  • TLS_AES_128_GCM_SHA256
  • AES128-SHA256
  • AES128-GCM-SHA256
  • AES256-SHA256
  • AES256-GCM-SHA384
  • DHE-DSS-AES128-SHA256
  • DHE-DSS-AES128-GCM-SHA256
  • DHE-DSS-AES256-SHA256
  • DHE-DSS-AES256-GCM-SHA384
  • DHE-RSA-AES128-SHA256
  • DHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES256-SHA256
  • DHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384

The first two ciphers in the list above are the supported TLS 1.3 FIPS ciphers; the remainder are TLS 1.2 FIPS ciphers.

Note: The list of ciphers shown above are the only ciphers available in FIPS mode; no additional ciphers can be added to the system. If you attempt to use a certificate or key that employs ciphers not in the above list, you will generally get an Invalid Pass Phrase error (which is standard OpenSSL behavior).

You can edit the list of ciphers which are assigned to a Virtual Service by clicking Modify Cipher Set. If changes are made to a preconfigured cipher set, a new custom cipher set is created. You can create custom cipher sets and use them across different Virtual Services.

Note: When you create or modify a custom cipher set, the LoadMaster restarts the SSL services to apply the updated configuration. As part of this process, all affected Virtual Services are temporarily stopped and restarted.

This behavior is expected and can cause a brief interruption to client connections while the configuration change is applied. To minimize impact in production environments, we recommend:

  • Creating and testing new cipher sets on a non‑production LoadMaster first.

  • Scheduling cipher set changes during a maintenance window.

By default, the name for the custom cipher set is Custom_<VirtualServiceID>. We recommend changing the name of custom cipher sets because if another system-defined cipher set is modified, the name again defaults to Custom_<VirtualServiceID> and overwrites any existing cipher sets with that name.

Note: It is not possible to modify the list of ciphers in a system-defined cipher set. Instead, a new custom cipher is created when changes are made to the ciphers list.