Hi! i have big-ip 11.5.1 according to ssllabs.com test i need to config only this ciphers on ssl profile : TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128 TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256 TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256 what is the string do enable these and disable all others? thank for any help, Aviv Hassidim

Do you mean for WebUI access or for SSL offloading? The approach varies slightly according to which you intend to change. You should find the following solution articles instructive: SOL8802: Using SSL ciphers with BIG-IP Client SSL and Server SSL profilesSOL13163: SSL ciphers supported on BIG-IP platforms (11.x)SOL15194: Overview of the BIG-IP SSL/TLS cipher suiteSOL13171: Configuring the cipher strength for SSL profiles (11.x)SOL13156: SSL ciphers used in the default SSL profiles (11.x)SOL13405: Restricting Configuration utility access to clients using high encryption SSL ciphers (11.x)

Hi Vernon! thanks for your help. i need it for SSL offloading. i have tested a website that got grade A on ssllabs/ and i saw that his result was: LS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128 TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256 TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256 can you help me write that string ?

how to remove TLS_RSA_WITH_RC4_128_SHA ?

SSL Ciphers | DevCentral

11 Replies

Vernon_97235
Historic F5 Account
Jul 13, 2015
Do you mean for WebUI access or for SSL offloading? The approach varies slightly according to which you intend to change.

You should find the following solution articles instructive:

SOL8802: Using SSL ciphers with BIG-IP Client SSL and Server SSL profiles
SOL13163: SSL ciphers supported on BIG-IP platforms (11.x)
SOL15194: Overview of the BIG-IP SSL/TLS cipher suite
SOL13171: Configuring the cipher strength for SSL profiles (11.x)
SOL13156: SSL ciphers used in the default SSL profiles (11.x)
SOL13405: Restricting Configuration utility access to clients using high encryption SSL ciphers (11.x)
- Aviv
  Cirrus
  Jul 13, 2015
  Hi Vernon! thanks for your help. i need it for SSL offloading. i have tested a website that got grade A on ssllabs/ and i saw that his result was: LS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128 TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256 TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256 can you help me write that string ?
VernonWells
Employee
Jul 13, 2015
Do you mean for WebUI access or for SSL offloading? The approach varies slightly according to which you intend to change.

You should find the following solution articles instructive:

SOL8802: Using SSL ciphers with BIG-IP Client SSL and Server SSL profiles
SOL13163: SSL ciphers supported on BIG-IP platforms (11.x)
SOL15194: Overview of the BIG-IP SSL/TLS cipher suite
SOL13171: Configuring the cipher strength for SSL profiles (11.x)
SOL13156: SSL ciphers used in the default SSL profiles (11.x)
SOL13405: Restricting Configuration utility access to clients using high encryption SSL ciphers (11.x)
- Aviv
  Cirrus
  Jul 13, 2015
  Hi Vernon! thanks for your help. i need it for SSL offloading. i have tested a website that got grade A on ssllabs/ and i saw that his result was: LS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128 TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256 TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256 can you help me write that string ?
Aviv
Cirrus
Jul 13, 2015
how to remove TLS_RSA_WITH_RC4_128_SHA ?

Kevin_Stewart

Employee

Jul 13, 2015

This should get you what you need:

!SSLv3:!EXPORT:RSA+AES:RSA+AES-GCM:ECDHE+3DES:@strength

Which produces the following cipher list:

AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA       
AES256-SHA                       256  TLS1    Native  AES       SHA     RSA       
AES256-SHA                       256  TLS1.1  Native  AES       SHA     RSA       
AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA       
AES256-SHA                       256  DTLS1   Native  AES       SHA     RSA       
AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA       
ECDHE-RSA-DES-CBC3-SHA           192  TLS1    Native  DES       SHA     ECDHE_RSA 
ECDHE-RSA-DES-CBC3-SHA           192  TLS1.1  Native  DES       SHA     ECDHE_RSA 
ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES       SHA     ECDHE_RSA 
AES128-SHA256                    128  TLS1.2  Native  AES       SHA256  RSA       
AES128-SHA                       128  TLS1    Native  AES       SHA     RSA       
AES128-SHA                       128  TLS1.1  Native  AES       SHA     RSA       
AES128-SHA                       128  TLS1.2  Native  AES       SHA     RSA       
AES128-SHA                       128  DTLS1   Native  AES       SHA     RSA       
AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM   SHA256  RSA

Aviv
Cirrus
Jul 13, 2015
Kevin_Stewart
Employee
Jul 15, 2015
Because of the recent Logjam vulnerabilities targeting Diffie-Helman

https://weakdh.org/

A recommended course of action is to simply prefer ECDHE (instead of DHE). So a good cipher string would be something like this:

!SSLv2:!EXPORT:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:RSA+AES-GCM:RSA+AES:RSA+3DES:-MD5:-SSLv3:-RC4
Kevin_Stewart
Employee
Jul 15, 2015
Ah, do you have any hotfixes applied to 11.5.1?

A fix has been applied to 11.5.1 HF6 and 11.6.0, so you'll need to get there soon. In the meantime, per:

https://devcentral.f5.com/articles/cve-2014-3566-poodle-vs-cve-2014-8730-tls-poodle

and

https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15882.html

the workaround cipher string is:

!SSLv3:AES-GCM:RC4-SHA
Aviv
Cirrus
Jul 15, 2015
This cipher string !SSLv3:AES-GCM:RC4-SHA also gives Grade F

until i upgrade my big-ip do you have a cipher string for ver 11.5.1 that will give a least grade B?
Kevin_Stewart
Employee
Jul 15, 2015
Unfortunately you're best bet is probably to patch. Any workaround cipher string will severely limit access to older clients. On an 11.6.0 box the DEFAULT stack should get you a B.

Did you try the first cipher string?

!SSLv3:!EXPORT:RSA+AES:RSA+AES-GCM:ECDHE+3DES:@strength

Forum Discussion

SSL Ciphers

11 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

F5 Networks F5CAB1 Exam - Need Help Regarding Prep

Username is not filled in EdgeClient in the Modern customization

The GSLB pool is providing an incorrect IP to end users

iRule causing requests to be duplicated (sometimes)

Cisco TACACS+ Config on ISE LTM Pair

Related Content

SSL Profiles Part 4: Cipher Suites

Cipher Suite Practices and Pitfalls

Future-Proofing Your Network: Enabling Quantum Ciphers on F5 BIG-IP TMOS 17.5.1

SSL Ciphers (SSLLabs) Warning

BIG-IP SSL Cipher History

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS