POODLE Again - Can't apply Perfect Forward Secrecy (PFS) after applying !SSLv3:RC4-SHA

Question

Hi,&nbsp;
I had "ECDHE:NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:!SSLv3", in my cipher string and my rating was A+. &nbsp;
With the New POODLE Vulnerability threat and receiving the error from SSL Lab This server is vulnerable to the POODLE attack against TLS servers. Patching required. Grade set to F , I've ADDED "!SSLv3:RC4-SHA" in the cipher string and I am still getting F. &nbsp;
I removed the previous string and now have "!SSLv3:RC4-SHA" only, and now my grade is B in SSL Lab. One of the reason "The server does not support Forward Secrecy with the reference browsers". I've added "ECDHE" to the string without any luck. &nbsp;
Can you please let me know the Cipher string that I need to use to enable PFS + No POODLE Vulnerability? or what cipher string should i use alongside "!SSLv3:RC4-SHA" to achieve this?&nbsp;

seth_cooper · Answer

Hi Virtualrana,&nbsp;
You really should open a support case to get any security questions answered.  Support can validate the correct settings and work with the security group within F5 to make sure you have the optimal setup.&nbsp;
Regards,&nbsp;
Seth&nbsp;

torti · Answer

If Im right, you cannot get an A+ without an update. For PFS you need ECDHE. for no poodle, you need an update or rc4. if you choose rc4, you cannot get PFS, because there is no cipher with ECDHE and RC4.

jan-fredrik_kle · Answer

Try this one:
ECDHE+AES:ECDHE+3DES:RSA+3DES:!SSLv2:!SSLv3:!MD5:!EXPORT:!RC4&nbsp;
Best regards&nbsp;

virtualrana_132 · Answer

Thanks Torti for the clarification, this is really helpful. I've logged a case with F5 and waiting for them to get back to me. Hopefully they will be able to tell me the right combination or suggest something without the upgrade. And if I definitely need to upgrade, I will do that. Thanks again.

virtualrana_132 · Answer

Thanks Jan-Fredrik, for your suggestion. Tried that but didn't help. I need to use "!SSLv3:RC4-SHA" to prevent the new vulnerability.

Forum Discussion

POODLE Again - Can't apply Perfect Forward Secrecy (PFS) after applying !SSLv3:RC4-SHA

6 Replies

Bram - January 2026 Featured Member

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Single LTM with multiple GTM domains

Question about adding VEs to existing physical appliance device group without ASM licenses

2026 301a exam

How can I measure Advanced WAF (ASM) throughput on a running BIG-IP VE (per VIP / per policy)?

What is the best practice for migrating from iseries to rseries?

Related Content

Lightboard Lessons: Perfect Forward Secrecy

Lightboard Lesson: Perfect Forward Secrecy Inspection Visibility

The BIG-IP and Ansible Sandbox, The Perfect Automation Playground!

Terraform apply failures - loadbalancer_type.https.port_choice

Heartbleed and Perfect Forward Secrecy

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS