Forum Discussion

THE_BLUE's avatar
THE_BLUE
Icon for Cirrostratus rankCirrostratus
May 21, 2025
Solved

Create cipher group in f5

i need to create custom cipher suites in f5 bigip to enable TLS 1.3 , 1.2 and disable the weak cipher .. i have tried to create the rule but i got Cipher string is invalid. what i can do?  i tried t...
application delivery
security
  • Injeyan_Kostas's avatar
    Injeyan_Kostas
    May 21, 2025

    As far as I am aware you cannot disable just TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for exaple. oyu need to disable all ECDHE which probably do not want to.

    for CHACHA20 use
    DEFAULT:!sslv3:!rc4:!exp:!des:!3des:!RSA:!DHE:!TLSv1:CHACHA20-POLY1305

Injeyan_Kostas's avatar
Injeyan_Kostas
Icon for Nacreous rankNacreous
May 21, 2025

try this one
DEFAULT:!sslv3:!rc4:!exp:!des:!3des:!RSA:!DHE:!TLSv1

  • THE_BLUE's avatar
    THE_BLUE
    Icon for Cirrostratus rankCirrostratus
    May 21, 2025

    thank you , i have try it .. when i test the ssl i found weak ciphers too .. so how to disable them ? ((TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)  , TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)  ,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)  , TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)  ))   and i need to add (include (TLS_CHACHA20_POLY1305_SHA256 )  , TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256)

    • Injeyan_Kostas's avatar
      Injeyan_Kostas
      Icon for Nacreous rankNacreous
      May 21, 2025

      As far as I am aware you cannot disable just TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for exaple. oyu need to disable all ECDHE which probably do not want to.

      for CHACHA20 use
      DEFAULT:!sslv3:!rc4:!exp:!des:!3des:!RSA:!DHE:!TLSv1:CHACHA20-POLY1305

      • THE_BLUE's avatar
        THE_BLUE
        Icon for Cirrostratus rankCirrostratus
        May 21, 2025

        thank you very much