BoyanBonev - The recommendation is to upgrade your BIG-IP and then the whole thing is moot because the CVE was patched a long time ago. As it says in the article: "With CVE-2014-8730/TLS POODLE there is a code fix, and all of our latest releases have it, starting with 10.2.4 HF10, 11.2.1 HF13, 11.4.0 HF9, 11.4.1 HF6, 11.5.0 HF6, 11.5.1 HF6, and 11.6.0. Upgrading for the fix is the recommended solution, and F5 Networks always recommends upgrading to the latest Hotfix Rollup for a given branch." If you upgrade then you don't have to worry about which ciphers to use - the issue is fixed. If you don't upgrade, then you're stuck. You either have to use RC4 or accept the CVE vulnerability, period. And if the client won't support RC4 then either those clients are locked out - or you have to accept the CVE vulnerability. So, again, upgrade.