For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nuruddin_Ahmed_'s avatar
Nuruddin_Ahmed_
Icon for Cirrostratus rankCirrostratus
Jun 20, 2016

Weak Ciphers

Hi,   We have applied verisign wildcard certificate for all our application as a client side certificate. We get B SSL ratings for our applications because of ciphers negotiated -   This server...
application delivery
BIG-IP
Hannes_Rapp_162's avatar
Hannes_Rapp_162
Icon for Nacreous rankNacreous
Jun 20, 2016

Assuming you want to keep everything as-is, and just take out DH:

(apply the custom cipher to your client-ssl profile)

DEFAULT:!DH

You can also see the full list of cipher suites that will still be enabled after your change.

(execute in BigIP BASH shell)

tmm --clientciphers 'DEFAULT:!DH'

More ways to configure your custom client-ssl cipher string, refer to https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171.html

Hannes_Rapp_162's avatar
Hannes_Rapp_162
Icon for Nacreous rankNacreous
Jun 20, 2016
You can check here for optimal cipher configs: https://devcentral.f5.com/s/feed/0D51T00006i7cGzSAI . Perhaps PCI DSS 3.1 suite (my second reply in thread) will be good for you if you're looking to harden it a bit further. In regards to your recently reported 'weak' cipher suites, they are more in the pseudo-security category. You can safely ignore them without taking any action for now, but make sure to revise it somewhere in 2017.