Disable DHE Ciphers - SSL Parent Profile

Question

I'm currently running 11.6.0 on most of my devices and am looking to upgrade passed version 12.0 in the near future. Looking at the iHealth Upgrade Advisor, I need to disable DHE ciphers on all of my Server SSL Profiles before upgrading. &nbsp;
I added  DEFAULT:!EXPORT:!DHE  to one of my Server SSL Profiles and it is no longer getting flagged in iHealth. Can I add that string to the Server SSL parent profile, or do I have to add that to each profile individually? Will updating the parent profile have any adverse effects on my other profiles, or would the Cipher settings be the only thing that changes? &nbsp;

simon_blakely · Answer

F5 recommends that you do not modify a default profile (like the serverssl profile).  
&nbsp;
What you should do is create a new site-default server-ssl profile, and change the Parent Profile on all your existing server-ssl profiles to this new site-default profile.&nbsp;
Then (in future) is you need to modify a setting on all your server-ssl profiles, you can make that change on your site-default profile and pass it to all the child profiles.&nbsp;
You can override an inherited option in a child profile by setting the custom checkbox for a specific option.&nbsp;

Forum Discussion

Disable DHE Ciphers - SSL Parent Profile

1 Reply

AppWorld Berlin 2026 – iRules Contest Winning Results

One Quick Step to Make your website AI-Agent/MCP Ready with an iRule

IPv8 Would Fix My Routing Tables. It Will Never Ship.

Recent Discussions

Errors with AS3 3.56.0 with F5 17.5.1.6

F5 ASM/AWAF – violations logged but no learning suggestions generated

F5 VELOS Backplane Inter-Tenants Communication

migrate from serie I to R. Cluster LTM-GTM

Best Practice guide for enabling Attack signature In BIG-IP ASM

Related Content

Disable below cipher

Disabling Weak Ciphers

Disabling Specific Weak Cipher Suites

How to disable weak cipher from Client SSL Profile

SSL Profiles Part 4: Cipher Suites

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS