how to remove Cipher from SSL profile

Question

Hi experts,&nbsp;
I wanted to remove below cipher form SSL profile.&nbsp;
10: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_RSA
11: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA&nbsp;
Please help me to compose it.&nbsp;

hannes_rapp · Answer

Just use the exclamation mark to exclude a cipher suite you don't want, and append it to your cipher config. Assuming that you have no other cipher customization in place at this point, the end result would be DEFAULT:!ECDHE-RSA-AES256-SHA384
 tmm --clientciphers 'DEFAULT'
       ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
 0:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA
 1:    53  AES256-SHA                       256  TLS1    Native  AES     SHA     RSA
 2:    53  AES256-SHA                       256  TLS1.1  Native  AES     SHA     RSA
 3:    53  AES256-SHA                       256  TLS1.2  Native  AES     SHA     RSA
 4:    53  AES256-SHA                       256  DTLS1   Native  AES     SHA     RSA
 5:    60  AES128-SHA256                    128  TLS1.2  Native  AES     SHA256  RSA
 6:    47  AES128-SHA                       128  TLS1    Native  AES     SHA     RSA
 7:    47  AES128-SHA                       128  TLS1.1  Native  AES     SHA     RSA
 8:    47  AES128-SHA                       128  TLS1.2  Native  AES     SHA     RSA
 9:    47  AES128-SHA                       128  DTLS1   Native  AES     SHA     RSA
10:    10  DES-CBC3-SHA                     192  TLS1    Native  DES     SHA     RSA
11:    10  DES-CBC3-SHA                     192  TLS1.1  Native  DES     SHA     RSA
12:    10  DES-CBC3-SHA                     192  TLS1.2  Native  DES     SHA     RSA
13:    10  DES-CBC3-SHA                     192  DTLS1   Native  DES     SHA     RSA
14:     5  RC4-SHA                          128  TLS1    Native  RC4     SHA     RSA
15:     5  RC4-SHA                          128  TLS1.1  Native  RC4     SHA     RSA
16:     5  RC4-SHA                          128  TLS1.2  Native  RC4     SHA     RSA
17: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA
18: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES     SHA     ECDHE_RSA
19: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES     SHA     ECDHE_RSA
20: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES     SHA     ECDHE_RSA
21: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA
22: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES     SHA     ECDHE_RSA
23: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES     SHA     ECDHE_RSA
24: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES     SHA     ECDHE_RSA
25: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1    Native  DES     SHA     ECDHE_RSA
26: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.1  Native  DES     SHA     ECDHE_RSA
27: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA

tmm --clientciphers 'DEFAULT:!ECDHE-RSA-AES256-SHA384'
       ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
 0:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA
 1:    53  AES256-SHA                       256  TLS1    Native  AES     SHA     RSA
 2:    53  AES256-SHA                       256  TLS1.1  Native  AES     SHA     RSA
 3:    53  AES256-SHA                       256  TLS1.2  Native  AES     SHA     RSA
 4:    53  AES256-SHA                       256  DTLS1   Native  AES     SHA     RSA
 5:    60  AES128-SHA256                    128  TLS1.2  Native  AES     SHA256  RSA
 6:    47  AES128-SHA                       128  TLS1    Native  AES     SHA     RSA
 7:    47  AES128-SHA                       128  TLS1.1  Native  AES     SHA     RSA
 8:    47  AES128-SHA                       128  TLS1.2  Native  AES     SHA     RSA
 9:    47  AES128-SHA                       128  DTLS1   Native  AES     SHA     RSA
10:    10  DES-CBC3-SHA                     192  TLS1    Native  DES     SHA     RSA
11:    10  DES-CBC3-SHA                     192  TLS1.1  Native  DES     SHA     RSA
12:    10  DES-CBC3-SHA                     192  TLS1.2  Native  DES     SHA     RSA
13:    10  DES-CBC3-SHA                     192  DTLS1   Native  DES     SHA     RSA
14:     5  RC4-SHA                          128  TLS1    Native  RC4     SHA     RSA
15:     5  RC4-SHA                          128  TLS1.1  Native  RC4     SHA     RSA
16:     5  RC4-SHA                          128  TLS1.2  Native  RC4     SHA     RSA
17: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES     SHA     ECDHE_RSA
18: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES     SHA     ECDHE_RSA
19: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES     SHA     ECDHE_RSA
20: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA
21: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES     SHA     ECDHE_RSA
22: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES     SHA     ECDHE_RSA
23: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES     SHA     ECDHE_RSA
24: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1    Native  DES     SHA     ECDHE_RSA
25: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.1  Native  DES     SHA     ECDHE_RSA
26: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA

hannes_rapp_162 · Answer

Just use the exclamation mark to exclude a cipher suite you don't want, and append it to your cipher config. Assuming that you have no other cipher customization in place at this point, the end result would be DEFAULT:!ECDHE-RSA-AES256-SHA384
 tmm --clientciphers 'DEFAULT'
       ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
 0:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA
 1:    53  AES256-SHA                       256  TLS1    Native  AES     SHA     RSA
 2:    53  AES256-SHA                       256  TLS1.1  Native  AES     SHA     RSA
 3:    53  AES256-SHA                       256  TLS1.2  Native  AES     SHA     RSA
 4:    53  AES256-SHA                       256  DTLS1   Native  AES     SHA     RSA
 5:    60  AES128-SHA256                    128  TLS1.2  Native  AES     SHA256  RSA
 6:    47  AES128-SHA                       128  TLS1    Native  AES     SHA     RSA
 7:    47  AES128-SHA                       128  TLS1.1  Native  AES     SHA     RSA
 8:    47  AES128-SHA                       128  TLS1.2  Native  AES     SHA     RSA
 9:    47  AES128-SHA                       128  DTLS1   Native  AES     SHA     RSA
10:    10  DES-CBC3-SHA                     192  TLS1    Native  DES     SHA     RSA
11:    10  DES-CBC3-SHA                     192  TLS1.1  Native  DES     SHA     RSA
12:    10  DES-CBC3-SHA                     192  TLS1.2  Native  DES     SHA     RSA
13:    10  DES-CBC3-SHA                     192  DTLS1   Native  DES     SHA     RSA
14:     5  RC4-SHA                          128  TLS1    Native  RC4     SHA     RSA
15:     5  RC4-SHA                          128  TLS1.1  Native  RC4     SHA     RSA
16:     5  RC4-SHA                          128  TLS1.2  Native  RC4     SHA     RSA
17: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA
18: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES     SHA     ECDHE_RSA
19: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES     SHA     ECDHE_RSA
20: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES     SHA     ECDHE_RSA
21: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA
22: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES     SHA     ECDHE_RSA
23: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES     SHA     ECDHE_RSA
24: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES     SHA     ECDHE_RSA
25: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1    Native  DES     SHA     ECDHE_RSA
26: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.1  Native  DES     SHA     ECDHE_RSA
27: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA

tmm --clientciphers 'DEFAULT:!ECDHE-RSA-AES256-SHA384'
       ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
 0:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA
 1:    53  AES256-SHA                       256  TLS1    Native  AES     SHA     RSA
 2:    53  AES256-SHA                       256  TLS1.1  Native  AES     SHA     RSA
 3:    53  AES256-SHA                       256  TLS1.2  Native  AES     SHA     RSA
 4:    53  AES256-SHA                       256  DTLS1   Native  AES     SHA     RSA
 5:    60  AES128-SHA256                    128  TLS1.2  Native  AES     SHA256  RSA
 6:    47  AES128-SHA                       128  TLS1    Native  AES     SHA     RSA
 7:    47  AES128-SHA                       128  TLS1.1  Native  AES     SHA     RSA
 8:    47  AES128-SHA                       128  TLS1.2  Native  AES     SHA     RSA
 9:    47  AES128-SHA                       128  DTLS1   Native  AES     SHA     RSA
10:    10  DES-CBC3-SHA                     192  TLS1    Native  DES     SHA     RSA
11:    10  DES-CBC3-SHA                     192  TLS1.1  Native  DES     SHA     RSA
12:    10  DES-CBC3-SHA                     192  TLS1.2  Native  DES     SHA     RSA
13:    10  DES-CBC3-SHA                     192  DTLS1   Native  DES     SHA     RSA
14:     5  RC4-SHA                          128  TLS1    Native  RC4     SHA     RSA
15:     5  RC4-SHA                          128  TLS1.1  Native  RC4     SHA     RSA
16:     5  RC4-SHA                          128  TLS1.2  Native  RC4     SHA     RSA
17: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES     SHA     ECDHE_RSA
18: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES     SHA     ECDHE_RSA
19: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES     SHA     ECDHE_RSA
20: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA
21: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES     SHA     ECDHE_RSA
22: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES     SHA     ECDHE_RSA
23: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES     SHA     ECDHE_RSA
24: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1    Native  DES     SHA     ECDHE_RSA
25: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.1  Native  DES     SHA     ECDHE_RSA
26: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA

iainthomson85_1 · Answer

As Hannes has said.

Might also be worth investigating what current cipher string is in use under DEFAULT (It changes with each software version potentially)

Depending on your reasoning for stopping negotiation with that cipher, you may want to block the entire ECDHE Cipher suite.

iainthomson85_1 · Answer

As Hannes has said.

Might also be worth investigating what current cipher string is in use under DEFAULT (It changes with each software version potentially)

Depending on your reasoning for stopping negotiation with that cipher, you may want to block the entire ECDHE Cipher suite.

thi · Answer

For default ciphers per sw version, see SOL13156: SSL ciphers used in the default SSL profiles (11.x - 12.x): https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html

Forum Discussion

how to remove Cipher from SSL profile

6 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

VIP in https that redirect to another vip in https

can you help with getting a BigIP virtual edition serial key

In Using the AST tool am I pointing it to TENANTS or to the F5OS(hardware) I have?

2026 is Almost Here

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

Related Content

SSL Profiles Part 4: Cipher Suites

Capture Virtual Server Clientssl Profile & Ciphers Mapping - Bash

Cipher Suite Practices and Pitfalls

Remove alerts showing r-series LCD/Dashboard.

Python script to print report of VIPs, corresponding profiles, SSL profile cipher strings and full cipher list

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS