Forum Discussion

THE_BLUE's avatar
THE_BLUE
Icon for Cirrostratus rankCirrostratus
May 21, 2025
Solved

Create cipher group in f5

i need to create custom cipher suites in f5 bigip to enable TLS 1.3 , 1.2 and disable the weak cipher .. i have tried to create the rule but i got Cipher string is invalid. what i can do?  i tried t...
application delivery
security
  • Injeyan_Kostas's avatar
    Injeyan_Kostas
    May 21, 2025

    As far as I am aware you cannot disable just TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for exaple. oyu need to disable all ECDHE which probably do not want to.

    for CHACHA20 use
    DEFAULT:!sslv3:!rc4:!exp:!des:!3des:!RSA:!DHE:!TLSv1:CHACHA20-POLY1305

Injeyan_Kostas's avatar
Injeyan_Kostas
Icon for Nacreous rankNacreous
May 21, 2025

F5 shows ECDHE-RSA-AES256-SHA384/TLS1.2 as available but ssllabs test shows only TLS1_3

THE_BLUE's avatar
THE_BLUE
Icon for Cirrostratus rankCirrostratus
May 22, 2025

yes exactly .. and when i apply that and test it with ssl lab in show that no cipher for tls1.2 and the score become lower 

  • Injeyan_Kostas's avatar
    Injeyan_Kostas
    Icon for Nacreous rankNacreous
    May 22, 2025

    Actually I missed -GCM- 
    TLSv1_3:ECDHE-ECDSA-AES256-GCM-SHA384:!DTLSv1_2 works fine. Thanks Daniel_Wolf​ 

    I would also use ECDHE-ECDSA-AES128-GCM-SHA256 to have some more backward compatibility for older clients.

    and maybe DTLS for VPN