For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dlogsdonmd's avatar
dlogsdonmd
Icon for Nimbostratus rankNimbostratus
Jun 14, 2017

Block Ciphers F5 LTM

Hello, I want to block specific ciphers on my LTM. We use a common SSL client profile for a good chunk of our sites/subdomains. Below are the two ciphers I want to block (SSL Labs reports them as wea...
application delivery
devops
LTM
Leonardo_Souza's avatar
Leonardo_Souza
Icon for Cirrocumulus rankCirrocumulus
Jun 14, 2017

The first thing you need to understand is the fact that the "DEFAULT" changes between versions. If you update the F5 to 12.1.2, it will probably have a default that has removed the ciphers that are considered weak today.

Secondly, no need to guess, as you can test the behaviour without applying the change. If you do this commands:

tmm --clientciphers "DEFAULT:!SSLv3:!RC4"
tmm --clientciphers "DEFAULT:!SSLv3:!RC4:!3DES"

And compare the output, you know which ciphers were removed.

Lastly, some solutions to explain you a little bit more:

https://support.f5.com/csp/article/K13156

https://support.f5.com/csp/article/K13163

Or the main solution for SSL profiles:

https://support.f5.com/csp/article/K8802