Forum Discussion

Nimbostratus

Feb 12, 2010

best practice for ssl ciphers

hi everyone we've recently had a security audit and the report has recommended that we disable the following ciphers: EXP-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5 ...

config

design

hoolio

Cirrostratus

Feb 16, 2010

If you disable a cipher in the client SSL profile, LTM won't offer it in the list of available ciphers in the server hello during the SSL handshake. There wouldn't be any negative impact if the client and LTM can agree on a cipher. The only problem arises if there isn't at least one cipher in the list of ciphers the client and LTM both support. In that case, the SSL handshake will fail.

So it's good to configure the limited ciphers on a test VIP and test with each OS/browser combination (or as many as you can) that your web app supports.

Aaron

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

best practice for ssl ciphers

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Connection Rest f5

Kubernetes cert-manager + LetsEncrypt + F5

The GSLB pool is providing an incorrect IP to end users

Unable to ping from some self ip on Velos

Not seeing the latest F5OS-A when running Journeys

Related Content

Cipher Suite Practices and Pitfalls

AS3 Best Practice

F5 Certified Practice Exams

Security Best Practices for F5 Products

Five Ways to Automate F5OS with Ansible: A Practical Guide

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS