For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

THE_BLUE's avatar
THE_BLUE
Icon for Cirrostratus rankCirrostratus
May 21, 2025
Solved

Create cipher group in f5

i need to create custom cipher suites in f5 bigip to enable TLS 1.3 , 1.2 and disable the weak cipher .. i have tried to create the rule but i got Cipher string is invalid. what i can do?  i tried t...
application delivery
security
  • Injeyan_Kostas's avatar
    Injeyan_Kostas
    May 21, 2025

    As far as I am aware you cannot disable just TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for exaple. oyu need to disable all ECDHE which probably do not want to.

    for CHACHA20 use
    DEFAULT:!sslv3:!rc4:!exp:!des:!3des:!RSA:!DHE:!TLSv1:CHACHA20-POLY1305

Injeyan_Kostas's avatar
Injeyan_Kostas
Icon for Nacreous rankNacreous
May 21, 2025

F5 shows ECDHE-RSA-AES256-SHA384/TLS1.2 as available but ssllabs test shows only TLS1_3

Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP
May 22, 2025

TLSv1_3:ECDHE-ECDSA-AES256-GCM-SHA384:!DTLSv1_2 - works with EC cert for TLS1_2

TLSv1_3:ECDHE-RSA-AES256-GCM-SHA384:!DTLSv1_2 - works with RSA cert for TLS1_2

for TLSv1.3 both will use TLS_AES_256_GCM_SHA384 if ordered by strength in the Cipher Group. No matter EC or RSA cert.