Need help to set Cipher

Question

Hi&nbsp;
We are running on Ver 10.2.4 and have below cipher string on our SSL profile.&nbsp;
ALL:!SSLv3:!SSLv2:!aDH:!LOW:!EXPORT:!NULL:!MD5:HIGH:MEDIUM:RSA:RC4:@SPEED&nbsp;
We want to disable RC4 and enable AES but keeping TLS1.0 enabled. But when I use below Cipher string to accomplish this&nbsp;
ALL:!SSLv3:!RC4:!SSLv2:!aDH:!LOW:!EXPORT:!NULL:!MD5:TLSv1:HIGH:MEDIUM:RSA+AES:@SPEED&nbsp;
It still shows RC4 enabled and the rating is C on SSL labs.&nbsp;
Please suggest correct string to do this&nbsp;

jcline · Answer

I use this string on my profiles.  It gets me a score of 93% using my calomel plugin and a B from SSLlabs.
I haven't had any problems with compatibility.&nbsp;
DHE+HIGH:TLSv1_2:TLSv1_1:!SSLv3:TLSv1:!RC4:!MD5:!ADH:!LOW:!EXPORT:!DES:@SPEED&nbsp;

jcline · Answer

We are on version 11.6 but I'm pretty sure that we brought that cipher string up from version 10.&nbsp;

kevin_stewart · Answer

The best way to test for a given set of ciphers, based on your cipher string, is with the tmm --clientciphers command:
tmm --clientciphers 'ALL:!SSLv3:!RC4:!SSLv2:!aDH:!LOW:!EXPORT:!NULL:!MD5:TLSv1:HIGH:MEDIUM:RSA+AES:@SPEED'

This will dump all of the ciphers that meet the above criteria. I'm pretty sure the above string doesn't produce RC4 ciphers, but I don't have a 10.x box in front of me to test.

Forum Discussion

Need help to set Cipher

3 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

2026 301a exam

UCS Encryption Question

Unblock Request WAF

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

VIP in https that redirect to another vip in https

Related Content

Cipher Suite Practices and Pitfalls

Future-Proofing Your Network: Enabling Quantum Ciphers on F5 BIG-IP TMOS 17.5.1

LTM Cipher rule

Disable below cipher

Disabling Weak Ciphers

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS