Weak Ciphers Supported

Question

Hello, BIG IP F5 LTM 12.1.2, Hotfix-BIGIP-12.1.2.2.0.276-HF2&nbsp;
I have one ssl client profile with the following cipher:DEFAULT:!3DES:!DHE!TLSv1:!TLSv1_1&nbsp;
When I perform an SSL scan of the associated domain, it shows as vulnerable: &nbsp;
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (DH 1024 bit, WEAK DH Group Size)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (DH 1024 bit, WEAK DH Group Size)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (DH 1024 bit, WEAK DH Group Size)&nbsp;
On the same SSL profile, I also configure this chain:
!EXPORT:!3DES:!DHE:!DH:!MD5:!SSLV3:!DTLv1:!ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:!TLSv1_1:tlsV1_2&nbsp;
I have the same problem
¿Could you help me to fix it?&nbsp;
TLS_DHE_RSA_WITH_AES_128_CBC_SHA&nbsp;

surgeon · Answer

This is because you DH 1024 bit. big-ip does not support dhe 2048 due to some technical aspects of such type of ciphers. You can disable DHE and use ECDHE instead.

Are you sure you are connecting to big-ip directly? There is not RSA-DHE cipher listed on version 12.1.2 with cipher string you used.
tmm --clientciphers 'DEFAULT:!DHE:!TLSv1:!TLSv1_1:!3DES'
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA
 1:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM   SHA256  RSA
 2:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA
 3:    53  AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA
 4:    53  AES256-SHA                       256  DTLS1   Native  AES       SHA     RSA
 5:    60  AES128-SHA256                    128  TLS1.2  Native  AES       SHA256  RSA
 6:    47  AES128-SHA                       128  TLS1.2  Native  AES       SHA     RSA
 7:    47  AES128-SHA                       128  DTLS1   Native  AES       SHA     RSA
 8: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA
 9: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA
10: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA
11: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA
12: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA
13: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES       SHA     ECDHE_RSA

F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Weak Ciphers Supported

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Service discovery is not happening in AS3

Load balanced RDP VIP use in APM

Deleting an AS3 Tenant

Request for Bug Tracker/Known Issues – BIG-IP Version 17.5.1.2

AST Configuration Assistance

Related Content

Disabling Weak Ciphers

Disabling Specific Weak Cipher Suites

Cipher Suites Supported (12.1.5.3)

How to disable weak cipher from Client SSL Profile

Lightboard Lessons: Choosing Strong vs Weak Ciphers

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS