Weak Ciphers Removal

fmalik If you don't have to have this changed immediately your best option here is to log the User-Agent HTTP header and then validate the ciphers that those browsers use by default. The following URL should help you log what SSL ciphers are being used.

https://support.f5.com/csp/article/K86071030

In conjunction with the above URL you can add in the following so that you can also log the User-Agent associated to those SSL ciphers.

User Agent: [HTTP::header user-agent]

 As an example when you add in User-Agent it would look something similar to the following for the logging line.

log local0. "From IP: [IP::client_addr] - User Agent: [HTTP::header user-agent] - cipher: [SSL::cipher name] - version: [SSL::cipher version]"

If you aren't interested in the client IP address you can remove those pieces as well and only log what you are interested in. You can also reorganize your SSL ciphers on the F5 that are currently used to strongest order if that isn't the default to have a better idea of what each client decides to use. The issue you will have is that some clients will not be able to use any of the ciphers you switch to for this higher rating and you might be forced to use a weaker set of ciphers to allow those users to continue using the website. You cannot have both the highest rating and support all client browsers and you will have to make a decision on forcing the clients to update/upgrade and cut off their access or configuring the ciphers that all your clients can use and taking the weaker score.