Strong cipher suite

Question

Hi we are testing a url on sslab test and the current setup on our f5 have these ciphers:

DEFAULT:!SSLv2:!SSLv3:!TLSv1:!RSA:!ECDHE-RSA-AES256-CBC-SHA:!ECDHE-RSA-AES128-CBC-SHA:!ECDHE-RSA-DES-CBC3-SHA:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:-MD5:-SSLv3:-RC4

but when we tested it on sslab test, it says:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (

0xc028

) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK

256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (

0xc027

) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK128

anyone knows how to address this?

koalan · Answer

up

enes_afsin_al · Answer

Hi Koalan,tmm --clientciphers 'ECDHE+AES': 0: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1   AES                 SHA     ECDHE_RSA
 1: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  AES                 SHA     ECDHE_RSA
 2: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  AES                 SHA     ECDHE_RSA
 3: 49171  ECDHE-RSA-AES128-CBC-SHA         128  DTLS1  AES                 SHA     ECDHE_RSA
 4: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  AES                 SHA256  ECDHE_RSA
 5: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1   AES                 SHA     ECDHE_RSA
 6: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  AES                 SHA     ECDHE_RSA
 7: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  AES                 SHA     ECDHE_RSA
 8: 49172  ECDHE-RSA-AES256-CBC-SHA         256  DTLS1  AES                 SHA     ECDHE_RSA
 9: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  AES                 SHA384  ECDHE_RSAYou can add this:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256:or use that:DEFAULT:!SSLv2:!SSLv3:!TLSv1:!RSA:!ECDHE-RSA-DES-CBC3-SHA:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:!ECDHE+AES:ECDHE+AES-GCM:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:-MD5:-SSLv3:-RC4

Forum Discussion

Strong cipher suite

2 Replies

Security Best Practices for F5 Products

F5 AppWorld 2026 Registration - early bird pricing.

Kostas Injeyan - October 2025 Featured Member

Recent Discussions

Floating IP responds from wrong VLAN/trunk

expandsSubcollections and filtering in F5 SDK

F5 i-series Guests to r-series tenants migration

Building new F5 replica

F5 CNF/BNK issue with DNS Express tmm scaling and zone notifications

Related Content

Cipher Suite Practices and Pitfalls

Breaking Down the Quantum Challenge: TLS Cipher Suite Vulnerabilities and FIPS Post-Quantum Standards Explained

Cipher Suites Supported (12.1.5.3)

Disabling Specific Weak Cipher Suites

SSL Profiles Part 4: Cipher Suites

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS