Trying to arrive at a SSL cipher suite that'll mitigate the recent vulnerabilities but still allow legacy IE8/XP clients to negotiate. We're currently on v11.6 and our suite is DEFAULT:!RSA:DHE-RSA-DES-CBC3-SHA:!SSLv3, which is blocking older clients. Major sites are supporting older clients with TLS_RSA_WITH_3DES_EDE_CBC_SHA but am not sure how to modify our string to support this or even if our F5 version still permits it.

Dear Josh, Can you try to following in the SSL client profile for ciphers. NATIVE+HIGH:NATIVE+MEDIUM:!SSLv3:!RC4:!ADH Regards Balajirajah P B

When we try to apply that, we receiving the following error: 0107157c:3: Selected client SSL profiles do not match security policies for Virtual Server XYZ However, the current string works OK.

Are you able to support the legacy XP client or not?

The string works for IE8/XP when applied to profiles that are only associated once on a virtual server. We we get the error below when trying to use it on profiles that are part of a virtual server doing SNI. 0107157c:3: Selected client SSL profiles do not match security policies for Virtual Server

Are you using the default cipher suite in the profile? Try this following command in bash. tmm --clientciphers 'DEFAULT'

IE8/XP compatible cipher suite

6 Replies

BPRIDE
Nimbostratus
May 11, 2015
Dear Josh,

Can you try to following in the SSL client profile for ciphers. NATIVE+HIGH:NATIVE+MEDIUM:!SSLv3:!RC4:!ADH

Regards Balajirajah P B
joshm_46566
Nimbostratus
May 12, 2015
When we try to apply that, we receiving the following error:

0107157c:3: Selected client SSL profiles do not match security policies for Virtual Server XYZ

However, the current string works OK.
BPRIDE
Nimbostratus
May 12, 2015
Are you able to support the legacy XP client or not?
joshm_46566
Nimbostratus
May 12, 2015
The string works for IE8/XP when applied to profiles that are only associated once on a virtual server. We we get the error below when trying to use it on profiles that are part of a virtual server doing SNI.

0107157c:3: Selected client SSL profiles do not match security policies for Virtual Server
BPRIDE
Nimbostratus
May 12, 2015
Are you using the default cipher suite in the profile? Try this following command in bash. tmm --clientciphers 'DEFAULT'

joshm_46566

Nimbostratus

May 12, 2015

We get the error when attempting to apply NATIVE+HIGH:NATIVE+MEDIUM:!SSLv3:!RC4:!ADH on an existing profile.

 tmm --clientciphers 'DEFAULT'
       ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
 0:   159  DHE-RSA-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM  SHA384  EDH/RSA
 1:   158  DHE-RSA-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM  SHA256  EDH/RSA
 2:    57  DHE-RSA-AES256-SHA               256  TLS1    Native  AES     SHA     EDH/RSA
 3:    57  DHE-RSA-AES256-SHA               256  TLS1.1  Native  AES     SHA     EDH/RSA
 4:    57  DHE-RSA-AES256-SHA               256  TLS1.2  Native  AES     SHA     EDH/RSA
 5:    57  DHE-RSA-AES256-SHA               256  DTLS1   Native  AES     SHA     EDH/RSA
 6:    51  DHE-RSA-AES128-SHA               128  TLS1    Native  AES     SHA     EDH/RSA
 7:    51  DHE-RSA-AES128-SHA               128  TLS1.1  Native  AES     SHA     EDH/RSA
 8:    51  DHE-RSA-AES128-SHA               128  TLS1.2  Native  AES     SHA     EDH/RSA
 9:    51  DHE-RSA-AES128-SHA               128  DTLS1   Native  AES     SHA     EDH/RSA
10:    22  DHE-RSA-DES-CBC3-SHA             192  TLS1    Native  DES     SHA     EDH/RSA
11:    22  DHE-RSA-DES-CBC3-SHA             192  TLS1.1  Native  DES     SHA     EDH/RSA
12:    22  DHE-RSA-DES-CBC3-SHA             192  TLS1.2  Native  DES     SHA     EDH/RSA
13:    22  DHE-RSA-DES-CBC3-SHA             192  DTLS1   Native  DES     SHA     EDH/RSA
14:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM  SHA384  RSA
15:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM  SHA256  RSA
16:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA
17:    53  AES256-SHA                       256  TLS1    Native  AES     SHA     RSA
18:    53  AES256-SHA                       256  TLS1.1  Native  AES     SHA     RSA
19:    53  AES256-SHA                       256  TLS1.2  Native  AES     SHA     RSA
20:    53  AES256-SHA                       256  DTLS1   Native  AES     SHA     RSA
21:    60  AES128-SHA256                    128  TLS1.2  Native  AES     SHA256  RSA
22:    47  AES128-SHA                       128  TLS1    Native  AES     SHA     RSA
23:    47  AES128-SHA                       128  TLS1.1  Native  AES     SHA     RSA
24:    47  AES128-SHA                       128  TLS1.2  Native  AES     SHA     RSA
25:    47  AES128-SHA                       128  DTLS1   Native  AES     SHA     RSA
26:    10  DES-CBC3-SHA                     192  TLS1    Native  DES     SHA     RSA
27:    10  DES-CBC3-SHA                     192  TLS1.1  Native  DES     SHA     RSA
28:    10  DES-CBC3-SHA                     192  TLS1.2  Native  DES     SHA     RSA
29:    10  DES-CBC3-SHA                     192  DTLS1   Native  DES     SHA     RSA
30: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_RSA
31: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM  SHA256  ECDHE_RSA
32: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA
33: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES     SHA     ECDHE_RSA
34: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES     SHA     ECDHE_RSA
35: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES     SHA     ECDHE_RSA
36: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA
37: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES     SHA     ECDHE_RSA
38: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES     SHA     ECDHE_RSA
39: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES     SHA     ECDHE_RSA
40: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1    Native  DES     SHA     ECDHE_RSA
41: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.1  Native  DES     SHA     ECDHE_RSA
42: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA

Forum Discussion

IE8/XP compatible cipher suite

6 Replies

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

SSL Bridging and FQDN rewrite Policy

After upgrading from PeopleTools 8.59.11 to 8.61.11 F5 APM is not rewriting the internal URLs

Could not communicate with the system. Try to reload page.

F5 BIG IP laboratory license

F5 mssql health monitor failing

Related Content

Cipher Suite Practices and Pitfalls

Future-Proofing Your Network: Enabling Quantum Ciphers on F5 BIG-IP TMOS 17.5.1

LTM Cipher rule

Disable below cipher

Disabling Weak Ciphers

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS