Forum Discussion

Cirrus

Feb 02, 2018

SSL Cipher tweaking

Hi, To be honest i do not completely understand how the cipher string is constructed, but I normally use this one, that used to give me grade A on ssllabs: !LOW:!SSLv2:!SSLv3:!MD5:!RC4+SHA:!EXPO...

Nimbostratus

Feb 02, 2018

If upgrading is not an option, I think you should change the cipher on your client profile. You could use this one:

'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256'

Keep in mind, assuming that your are using SSL offloading on the LB, ssllabs checks the connection to the load balancer (not to the real server.) So, if the server doesn't support AEAD, you can relax the ciphers on the server profile.

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

SSL Cipher tweaking

Jeff - May 2026 Featured F5er

AppWorld Berlin 2026 – iRules Contest Winning Results

One Quick Step to Make your website AI-Agent/MCP Ready with an iRule

Recent Discussions

certitcate error

Layered ASM for APM login page protection

migrate from serie I to R. Cluster LTM-GTM

APM URL encoding Hardening?

Trial License for F5 virtual edition in eve-ng

Related Content

Web UI Tweaks

WebUI Tweaks OLD

SSL Profiles Part 4: Cipher Suites

Web UI Tweaks Chrome plugin

Cipher Suite Practices and Pitfalls

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS