F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

THE_BLUE's avatar
THE_BLUE
Icon for Cirrostratus rankCirrostratus
May 21, 2025
Solved

Create cipher group in f5

i need to create custom cipher suites in f5 bigip to enable TLS 1.3 , 1.2 and disable the weak cipher .. i have tried to create the rule but i got Cipher string is invalid. what i can do?  i tried t...
application delivery
security
  • Injeyan_Kostas's avatar
    Injeyan_Kostas
    May 21, 2025

    As far as I am aware you cannot disable just TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for exaple. oyu need to disable all ECDHE which probably do not want to.

    for CHACHA20 use
    DEFAULT:!sslv3:!rc4:!exp:!des:!3des:!RSA:!DHE:!TLSv1:CHACHA20-POLY1305

Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP
May 21, 2025

You can actually be very granular with that. Take a look here: K000137907: Commands to see Ciphers and Protocols used in a particular STRING

This is a very secure cipher string: 'TLSv1_3:ECDHE-ECDSA-AES256-GCM-SHA384:!DTLSv1_2'
This leaves only TLS 1.3 and only one TLS 1.2 ECDHE with AES256 and SHA384. All weaker TLS 1.2 are excluded.

[root@awaf:Active:Standalone] config # tmm --clientciphers 'TLSv1_3:ECDHE-ECDSA-AES256-GCM-SHA384:!DTLSv1_2'
       ID  SUITE                            BITS PROT    CIPHER              MAC     KEYX
 0:  4865  TLS13-AES128-GCM-SHA256          128  TLS1.3  AES-GCM             NULL    *         
 1:  4866  TLS13-AES256-GCM-SHA384          256  TLS1.3  AES-GCM             NULL    *         
 2:  4867  TLS13-CHACHA20-POLY1305-SHA256   256  TLS1.3  CHACHA20-POLY1305   NULL    *         
 3: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  AES-GCM             SHA384  ECDHE_ECDSA