Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

dgytech's avatar
dgytech
Icon for Altostratus rankAltostratus
Sep 27, 2019

F5 LTM 11.4.0 Cipher Suites question

We currently have an SSL client profile with the following Ciphers setting: ECDHE+HIGH:HIGH:!MD5:!EXPORT:!DES:!3DES:!DHE:!EDH:!RC4:!ADH:!SSLv3:!TLSv1:!TLSv1_1:!RSA   This results in "TLS_ECDHE_RS...
LTM
security
TMSH
ToonVA's avatar
ToonVA
Icon for Cirrus rankCirrus
Dec 13, 2019

MEDIUM: ECDHE:ECDHE_ECDSA:!AES:!SHA:!RC4:!EXP:!DES:!3DES:!LOW:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1:@STRENGTH

Key size allowed 128-bit and 256-bit

MAX: ECDHE:ECDHE_ECDSA:!AES:!SHA:!RC4:!EXP:!DES:!3DES:!MEDIUM:!LOW:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1:@STRENGTH

Key size allow 256-bit

 

If you don’t want to block those ciphers on CBC then you can use the following string(s) below

 

MEDIUM: ECDHE:ECDHE_ECDSA:!RC4:!EXP:!DES:!3DES:!LOW:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1:@STRENGTH

Key size allowed 128-bit and 256-bit

MAX: ECDHE:ECDHE_ECDSA:!RC4:!EXP:!DES:!3DES:!MEDIUM:!LOW:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1:@STRENGTH

Key size allow 256-bit

 

Explanation

  • ECDHE - Allow Elliptic Curve Diffie-Hellman Ephemeral with RSA
  • ECDHE_ECDSA - Allow ECDHE with Elliptic Curve Digital Signature Algorithm
  • !AES - Block AES in CBC mode - 128-bit or 256-bit (needed to stop CBC ciphers)
  • !SHA - Block SHA/SHA1 (needed to stop CBC ciphers)
  • !RC4 - Block RC4 stream cipher
  • !EXP - Block Export grade ciphers- 40-bit or 56-bit
  • !DES - Block Single DES in CBC mode - 40-bit & 56-bit
  • !3DES - Block Triple DES in CBC mode - 168-bit
  • !LOW - Block Key size < 128bit
  • !MEDIUM - Block Key size <= 128bit (only 256-bit and higher remains)
  • !SSLv2 - Block SSLv2 Protocol
  • !SSLv3 - Block SSLv3 Protocol
  • !TLSv1 - Block TLS1.0 Protocol
  • !TLSv1_1 - Block TLS1.1 Protocol
  • @STRENGTH - Enforce most secure first

 

Personally i did multiple changes for a project to stop TLS1.0 and TLS1.1 support but i find it more easy to not include those in the cipher string but in the options of the profile. Then you have a better overview and f you save this as a "template" you can re-assign it to your clientssl profiles and so you don't need to maintain all those individual but only the "parent". With the options to block CBC you will have a guaranteed A/A+ grade on SSL Labs. Keep in mind that Windows 7 clients with IE11 don't support GCM ciphers in combination with an RSA certificate! If you want to enforce GCM for Windows 7 and IE11 you need RSA AND ECDSA certificate in one client-ssl profile in order to let a client make an handshake with ECDHE_ECDSA.

 

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384