Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

dominatorz_1208's avatar
dominatorz_1208
Icon for Nimbostratus rankNimbostratus
Feb 12, 2013

Changing Client SSL profile

Dear Experts   I am new to this project, I have been assigned on changing the client SSL profile to protect againt the BEAST exploit vulnerability found in SSL 3.0 and TLS 1.0   My question are...
basic
getting started
new to f5
nitass's avatar
nitass
Icon for Employee rankEmployee
Feb 13, 2013
Also please could you give brief idea what services could it effect if I am chaning the existing client profile, As I need to draft an change release plan and request to approve what I am changing. as Steve mentioned, new connection to virtual server using that clientssl profile will be affected (i.e. using the new setting).

sol13253: Configuration changes to local traffic objects do not affect existing connections

http://support.f5.com/kb/en-us/solutions/public/13000/200/sol13253.html

you can display ssl cipher suite list used by bigip using tmm --clientciphers command.

e.g. 

[root@ve10:Active] config  tmm --clientciphers 'TLSv1_2:RC4:SSLv2:!NULL:!ADH:!LOW:!EXP:+TLSv1:+SSLv3:HIGH:MEDIUM'
     ID SUITE                          BITS  PROT  METHOD CIPHER MAC    KEYX
 0:   4 RC4-MD5                         128  TLS1.2  Native RC4    MD5    RSA
 1:   5 RC4-SHA                         128  TLS1.2  Native RC4    SHA    RSA
 2:  47 AES128-SHA                      128  TLS1.2  Native AES    SHA    RSA
 3:  53 AES256-SHA                      256  TLS1.2  Native AES    SHA    RSA
 4:  10 DES-CBC3-SHA                    192  TLS1.2  Native DES    SHA    RSA
 5:  60 AES128-SHA256                   128  TLS1.2  Native AES    SHA256 RSA
 6:  61 AES256-SHA256                   256  TLS1.2  Native AES    SHA256 RSA
 7:   4 RC4-MD5                         128  TLS1  Native RC4    MD5    RSA
 8:   5 RC4-SHA                         128  TLS1  Native RC4    SHA    RSA
 9:   4 RC4-MD5                         128  SSL3  Native RC4    MD5    RSA
10:   5 RC4-SHA                         128  SSL3  Native RC4    SHA    RSA
11:  53 AES256-SHA                      256  SSL3  Native AES    SHA    RSA
12:  53 AES256-SHA                      256  TLS1  Native AES    SHA    RSA
13:  53 AES256-SHA                      256  DTLS1  Native AES    SHA    RSA
14:  10 DES-CBC3-SHA                    192  SSL3  Native DES    SHA    RSA
15:  10 DES-CBC3-SHA                    192  TLS1  Native DES    SHA    RSA
16:  10 DES-CBC3-SHA                    192  DTLS1  Native DES    SHA    RSA
17:  47 AES128-SHA                      128  SSL3  Native AES    SHA    RSA
18:  47 AES128-SHA                      128  TLS1  Native AES    SHA    RSA
19:  47 AES128-SHA                      128  DTLS1  Native AES    SHA    RSA

to test cipher, you may use "openssl s_client" or "curl". there is an option to specify cipher you want to use.

hope this helps.