Forum Discussion

THE_BLUE's avatar
THE_BLUE
Icon for Cirrostratus rankCirrostratus
May 21, 2025
Solved

Create cipher group in f5

i need to create custom cipher suites in f5 bigip to enable TLS 1.3 , 1.2 and disable the weak cipher .. i have tried to create the rule but i got Cipher string is invalid. what i can do? 

i tried to use cipher group (f5-secure) but there is weak cipher and i want to disable them

application delivery
security
  • Injeyan_Kostas's avatar
    Injeyan_Kostas
    May 21, 2025

    As far as I am aware you cannot disable just TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for exaple. oyu need to disable all ECDHE which probably do not want to.

    for CHACHA20 use
    DEFAULT:!sslv3:!rc4:!exp:!des:!3des:!RSA:!DHE:!TLSv1:CHACHA20-POLY1305

9 Replies

  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    May 21, 2025

    You can actually be very granular with that. Take a look here: K000137907: Commands to see Ciphers and Protocols used in a particular STRING

    This is a very secure cipher string: 'TLSv1_3:ECDHE-ECDSA-AES256-GCM-SHA384:!DTLSv1_2'
    This leaves only TLS 1.3 and only one TLS 1.2 ECDHE with AES256 and SHA384. All weaker TLS 1.2 are excluded.

    [root@awaf:Active:Standalone] config # tmm --clientciphers 'TLSv1_3:ECDHE-ECDSA-AES256-GCM-SHA384:!DTLSv1_2'
           ID  SUITE                            BITS PROT    CIPHER              MAC     KEYX
     0:  4865  TLS13-AES128-GCM-SHA256          128  TLS1.3  AES-GCM             NULL    *         
     1:  4866  TLS13-AES256-GCM-SHA384          256  TLS1.3  AES-GCM             NULL    *         
     2:  4867  TLS13-CHACHA20-POLY1305-SHA256   256  TLS1.3  CHACHA20-POLY1305   NULL    *         
     3: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  AES-GCM             SHA384  ECDHE_ECDSA

    • Injeyan_Kostas's avatar
      Injeyan_Kostas
      Icon for Cumulonimbus rankCumulonimbus
      May 21, 2025

      F5 shows ECDHE-RSA-AES256-SHA384/TLS1.2 as available but ssllabs test shows only TLS1_3

      • Daniel_Wolf's avatar
        Daniel_Wolf
        Icon for MVP rankMVP
        May 22, 2025

        TLSv1_3:ECDHE-ECDSA-AES256-GCM-SHA384:!DTLSv1_2 - works with EC cert for TLS1_2

        TLSv1_3:ECDHE-RSA-AES256-GCM-SHA384:!DTLSv1_2 - works with RSA cert for TLS1_2

        for TLSv1.3 both will use TLS_AES_256_GCM_SHA384 if ordered by strength in the Cipher Group. No matter EC or RSA cert.

    • THE_BLUE's avatar
      THE_BLUE
      Icon for Cirrostratus rankCirrostratus
      May 21, 2025

      thank you , i have try it .. when i test the ssl i found weak ciphers too .. so how to disable them ? ((TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)  , TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)  ,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)  , TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)  ))   and i need to add (include (TLS_CHACHA20_POLY1305_SHA256 )  , TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256)

      • Injeyan_Kostas's avatar
        Injeyan_Kostas
        Icon for Cumulonimbus rankCumulonimbus
        May 21, 2025

        As far as I am aware you cannot disable just TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for exaple. oyu need to disable all ECDHE which probably do not want to.

        for CHACHA20 use
        DEFAULT:!sslv3:!rc4:!exp:!des:!3des:!RSA:!DHE:!TLSv1:CHACHA20-POLY1305