best practice for ssl ciphers

Question

Hi All:&nbsp;

&nbsp;

I send this post to ask you that the last week I have a auditory, an they tell me that I have &nbsp;

Low Strength Ciphers (&lt; 56-bit key).

And I need to change the

weak SSL ciphers.
&nbsp;

How can I change this option on my LTM 3900?&nbsp;

&nbsp;

Since now thanks alot.
&nbsp;

&nbsp;
&nbsp;
Synopsis&nbsp;The remote service supports the use of weak SSL ciphers.&nbsp;
List of Hosts&nbsp;&nbsp;&nbsp;&nbsp;

Plugin Output&nbsp;
Here is the list of weak SSL ciphers supported by the remote server :&nbsp;
&nbsp;Low Strength Ciphers (&lt; 56-bit key)
&nbsp;SSLv3
&nbsp;EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export 
&nbsp;EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export 
&nbsp;TLSv1
&nbsp;EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export 
&nbsp;EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export &nbsp;
&nbsp;The fields above are :&nbsp;
&nbsp;{OpenSSL ciphername}
&nbsp;Kx={key exchange}
&nbsp;Au={authentication}
&nbsp;Enc={symmetric encryption method}
&nbsp;Mac={message authentication code}
&nbsp;{export flag}
&nbsp;

&nbsp;

hoolio · Answer

You can customize the allowed ciphers for a VS using this SOL 
&nbsp;  
&nbsp; sol7815: Configuring the cipher strength for SSL profiles 
&nbsp; http://support.f5.com/kb/en-us/solutions/public/7000/800/sol7815.html 
&nbsp;  
&nbsp; And for the management GUI using this: 
&nbsp;  
&nbsp; sol6768: Restricting Configuration utility access to SSL clients that are 128 bits or higher 
&nbsp; http://support.f5.com/kb/en-us/solutions/public/6000/700/sol6768.html 
&nbsp;  
&nbsp; Aaron

hoolio · Answer

...&nbsp;

mcorvalan_57694 · Answer

Ok Aaron thanx alot for replying me asap. 
&nbsp; I think that the last option that u sent me it's gonna be usefully for me, because the problem that i found . 
&nbsp; is the IP 10.100.101.6 it's my managment interface an' not any virtual sever. &nbsp;

doug_24189 · Answer

And make sure you enable the option no SSLv2.

Forum Discussion

best practice for ssl ciphers

4 Replies

F5 Academy at AppWorld 2026

Aswin MK - November 2025 Featured Member

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

CVE mitigation on F5 XC vs classic F5 WAF

Could not communicate with the system. Try to reload page.

F5 XC 503 upstream_reset_before_response_started{protocol_error}

UCS Encryption Question

BIG-IP VE: 40G Throughput from 4x10G physical NICs

Related Content

Cipher Suite Practices and Pitfalls

AS3 Best Practice

F5 Certified Practice Exams

Security Best Practices for F5 Products

Five Ways to Automate F5OS with Ansible: A Practical Guide

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS