The best ciphersuite

I would think not. I see that you have contributed a lot which is honorable but in this case I would go with F5's most recent article on this issue. Which is if you are below version 11.5.x, you should not disable RC4-SHA, which is exactly what (!RC4) is doing. Note.. that if you do disable RC4-SHA, it means, you just disabled TLS 1.x.. all other CBC Mode ciphers are vulnerable (which is all other ciphers besides RC4 on codes 11.4.x and below). Look at what they say below... We have tested this extensively and below is correct. "In 11.4.1 and earlier use the cipher string !SSLv3:RC4-SHA This is where we often see a second level of confusion. Many have tried cipher strings such as "DEFAULT:!SSLv3:RC4-SHA" or "NATIVE:!SSLv3:RC4-SHA". These will not work; follow the SOL explicitly. Note that if you upgrade to a fixed version then you don't need to worry about the cipher string. (Other than ensuring SSLv3 is disabled for CVE-2014-3566, of course.) The issue with the TLS Padding Vulnerability is with CBC mode ciphers. All of the ciphers supported by F5, aside from RC4 (and AES-GCM in 11.5.0+), are CBC mode. Note that not all CBC mode ciphers have 'CBC' in the name. This has caused confusion in many cases due to the belief that CBC is disabled because the string 'CBC' is not shown when listing the enabled ciphers. Yet scan tools still flag the system as vulnerable. If it isn't RC4 or AES-GCM, it is CBC mode and vulnerable on an unpatched system."