Excluding Cipher List

Question

I'm attempting to remove a specific Cipher stream from a Client SSL Profile.
I can't seem to exclude the specific two streams from the Cipher List.
Any help would be appreciated.
I need to exclude -
ECDHE-RSA-DES-CBC3-SHA
DES-CBC3-SHA

I am using 
ECDHE+AES-GCM:NATIVE:!MD5:!EXPORT:!DES

I can't get an exclusion to remove the two cipher streams I want.
This link was a great help,
https://devcentral.f5.com/articles/cipher-suite-practices-and-pitfalls-25564
but I can't get it to function the way I want it to.

ed_summers · Answer

Are you only looking to exclude those two specific ciphers? Does the following not work for your requirement:&nbsp;
!ECDHE-RSA-DES-CBC3-SHA:!DES-CBC3-SHA:ECDHE+AES-GCM:NATIVE:!EXPORT:!DES&nbsp;

vijay_e · Answer

This seems to work for me:
tmm --clientciphers '!ECDHE-RSA-DES-CBC3-SHA:!DES-CBC3-SHA:ECDHE+AES-GCM:NATIVE:!EXPORT:!DES'
Can you post your output and identify the ciphers that you think should be excluded but still show up ? 
Just a word of caution, the cipher list that you are using is still weak. If you are looking to provide better security, I would recommend checking this out.

Forum Discussion

Excluding Cipher List

2 Replies

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

How can I get started with iCall

Connection Rest f5

Kubernetes cert-manager + LetsEncrypt + F5

The GSLB pool is providing an incorrect IP to end users

Unable to ping from some self ip on Velos

Related Content

Cipher Suite Practices and Pitfalls

iRule exclude URI

Future-Proofing Your Network: Enabling Quantum Ciphers on F5 BIG-IP TMOS 17.5.1

F5 402 Exam reading list and notes

LTM Cipher rule

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS