Forum Discussion

Nimbostratus

Apr 29, 2018

Remove TLS_RSA for PFS?

Given these ciphers supported on an 11.6.2HF1 LTM, if the server is using RSA certificates, to prevent the ROBOT vulnerability, do we just need to remove the (7) TLS_RSA ciphers noted at the end of t...

LTM

security

Simon_Blakely

Employee

Apr 29, 2018

If you are running 11.6.2 HF1, you have already mitigated ROBOT even if you continue to use RSA key Exchange.

K21905460: BIG-IP SSL vulnerability (ROBOT) CVE-2017-6168

Please be aware of the note in K21905460

Note: Fixed BIG-IP versions do not disable RSA key exchange, they eliminate the existing code flaw in our implementation of RSA key exchange. Due to influences outside the control of the BIG-IP system, some SSL rating sites and scanners may falsely report that fixed versions are vulnerable to CVE-2017-6168. In these instances you may want to contact the scanner vendor to report the false positive result.

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

Remove TLS_RSA for PFS?

F5 Academy at AppWorld 2026

Kostas Injeyan - October 2025 Featured Member

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Upgrading F5 units configured as Active-Active without Traffic Groups behind Azure LB

Kerberos Authentication Failing for Exchange 2016 Behind F5 Cloud WAF

Strict header Insertion

F5 AWAF/ASM ASM_RESPONSE_VIOLATION event seem to not trigger on 17.1.x

High availability Blade

Related Content

Remove alerts showing r-series LCD/Dashboard.

Remove Quotation marks

remove www

Removal Cookies on Client Browser

CVE-2014-3566: Removing SSLv3 from BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS