BIG-IP 11.6 - Disable MD5 and 96-bit MAC algorithms and CBC mode for SSH

Question

Hi,&nbsp;
our customer has BIG-IP 2000s with 11.6 HF4 TMOS, they had security audit which ends with 2 vulnerabilities and action points:&nbsp;
The SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.&nbsp;
disable MD5 and 96bit MAC algorithms
The SSH server is configured to support Cipher Block Chaining (CBC) encryption.  This may allow an attacker to recover the plaintext message from the ciphertext.&nbsp;
disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption
Can you pls help me how to disable MD5 and 96-bit algorithms and CBC mode cipher encryption (and enable CTR or GCM cipher mode encryption) for SSH?&nbsp;

boneyard · Answer

been asked before, see here:&nbsp;
https://devcentral.f5.com/questions/ssh-ciphers-change&nbsp;

Forum Discussion

BIG-IP 11.6 - Disable MD5 and 96-bit MAC algorithms and CBC mode for SSH

1 Reply

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

F5 Networks F5CAB1 Exam - Need Help Regarding Prep

Username is not filled in EdgeClient in the Modern customization

The GSLB pool is providing an incorrect IP to end users

iRule causing requests to be duplicated (sometimes)

Cisco TACACS+ Config on ISE LTM Pair

Related Content

Automating Certificate Management on F5 BIG-IP

Introducing the F5 AI Assistant for BIG-IP

BIG-IP security hardening and compliance checks

BIG-IP Report

F5 BIG-IP Zero Trust with BIG-IP SSL Orchestrator

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS