F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Julio_Navarro's avatar
Julio_Navarro
Icon for Cirrostratus rankCirrostratus
Oct 22, 2021

Only show 256 bits ciphers - parent client-ssl profile

Hello, I have the cipher suite configured in my parent client-ssl profile: !ECDH_RSA:!ECDH_ECDSA:!SHA:-AES:AES:ECDHE:ECDHE_ECDSA:DHE:DHE_DSS:!RSA   How can I only provide ONLY 256 bits ciphers ...
256-bits
application delivery
BIG-IP
LTM
CA_Valli's avatar
CA_Valli
Icon for MVP rankMVP
Nov 17, 2021

Hello Julio,

first things first, I would recommend not to edit default SSL profiles: instead, create a new one and inherit settings from defaults.

 

You can filter ciphers by strength with keywords LOW (64 bit bulk crypto algorithm) , MEDIUM (128-bit) and HIGH ( [ 168 bit/192 bit -- deprecated] and 256-bit ).

 

So your default string should be HIGH , and then exclude unwanted suites.

 

You can test output with command tmm --clientciphers <string> , ex. tmm --clientciphers "HIGH" or tmm --clientciphers "HIGH:!ECDH_RSA:!ECDH_ECDSA:!SHA:!RSA"

  • Fallout1984's avatar
    Fallout1984
    Icon for Cirrocumulus rankCirrocumulus
    Nov 18, 2021

    That's good info. With "@STRENGTH" one can have the cipher negotiation start with the strongest cipher and progress to the weakest (example: DEFAULT:!3DES:!DHE:!RC4:!RSA:@STRENGTH)

     

    This is just for anyone who may have a need for it. 😀