Forum Discussion
THE_BLUE
Cirrostratus
May 21, 2025Create cipher group in f5
i need to create custom cipher suites in f5 bigip to enable TLS 1.3 , 1.2 and disable the weak cipher .. i have tried to create the rule but i got Cipher string is invalid. what i can do?
i tried to use cipher group (f5-secure) but there is weak cipher and i want to disable them
As far as I am aware you cannot disable just TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for exaple. oyu need to disable all ECDHE which probably do not want to.
for CHACHA20 use
DEFAULT:!sslv3:!rc4:!exp:!des:!3des:!RSA:!DHE:!TLSv1:CHACHA20-POLY1305
9 Replies
- hoolio
Cirrostratus
Yes, and yes. To close the connection, you can use a send string like this: - taro_112311
Nimbostratus
Is it correct in the following understanding? - hoolio
Cirrostratus
Sorry, I mis-read your original question. I know that the connection to the server can be kept open if the Connection: close isn't used, and that this can leave connections open for longer than necessary, but I don't know whether LTM would ever re-use it if it's still open. I'll try testing to see. - hoolio
Cirrostratus
Testing on 9.2.x, I see LTM selecting a new port regardless of the send string configuration, which I guess follows with the recommendation to use the Connection: close header to tell the server to close the TCP connection. - Deb_Allen_18Historic F5 AccountThanks for clarifying, Aaron.