# Disabling Weak Ciphers

Hi Experts,

We've been asked to disable the weak ciphers in F5 (12.1.2). Would like to seek help in getting the relevant ciphers disabled.

Currently, it's configured as DEFAULT in SSL profiles. Shall I proceed with this Cipher list DEFAULT:!DHE:!TLSV1_TLSV1_1 ...? Below are the alerts

PROTOCOL CIPHER NAME GROUP KEY-SIZE FORWARD-SECRET CLASSICAL-STRENGTH QUANTUM-STRENGTH

TLSv1 DHE-RSA-AES256-SHA DHE 1024 yes 80 low

TLSv1 DHE-RSA-AES128-SHA DHE 1024 yes 80 low

TLSv1 EDH-RSA-DES-CBC3-SHA DHE 1024 yes 80 low

TLSv1.1 DHE-RSA-AES256-SHA DHE 1024 yes 80 low

TLSv1.1 DHE-RSA-AES128-SHA DHE 1024 yes 80 low

TLSv1.1 EDH-RSA-DES-CBC3-SHA DHE 1024 yes 80 low

TLSv1.2 DHE-RSA-AES256-GCM-SHA384 DHE 1024 yes 80 low

TLSv1.2 DHE-RSA-AES128-GCM-SHA256 DHE 1024 yes 80 low

TLSv1.2 DHE-RSA-AES256-SHA256 DHE 1024 yes 80 low

TLSv1.2 DHE-RSA-AES128-SHA256 DHE 1024 yes 80 low

TLSv1.2 DHE-RSA-AES256-SHA DHE 1024 yes 80 low

TLSv1.2 DHE-RSA-AES128-SHA DHE 1024 yes 80 low

TLSv1.2 EDH-RSA-DES-CBC3-SHA DHE 1024 yes 80 low#

I'm running v15.1.8 and the following matches.

`DEFAULT:!TLSv1:!TLSv1_1:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256`

I built it starting from

**DEFAULT:!TLSv1:!TLSv1_1**and excluding explicitly the suites from your comment that still were in the list. (I noticed there was 3 repetitions; also EDH-RSA-DES-CBC3-SHA did not show up in cipher rule so there was no need to specify it)