Excluding Cipher List

Question

I'm attempting to remove a specific Cipher stream from a Client SSL Profile.
I can't seem to exclude the specific two streams from the Cipher List.
Any help would be appreciated.
I need to exclude -
ECDHE-RSA-DES-CBC3-SHA
DES-CBC3-SHA

I am using 
ECDHE+AES-GCM:NATIVE:!MD5:!EXPORT:!DES

I can't get an exclusion to remove the two cipher streams I want.
This link was a great help,
https://devcentral.f5.com/articles/cipher-suite-practices-and-pitfalls-25564
but I can't get it to function the way I want it to.

ed_summers · Answer

Are you only looking to exclude those two specific ciphers? Does the following not work for your requirement:&nbsp;
!ECDHE-RSA-DES-CBC3-SHA:!DES-CBC3-SHA:ECDHE+AES-GCM:NATIVE:!EXPORT:!DES&nbsp;

vijay_e · Answer

This seems to work for me:
tmm --clientciphers '!ECDHE-RSA-DES-CBC3-SHA:!DES-CBC3-SHA:ECDHE+AES-GCM:NATIVE:!EXPORT:!DES'
Can you post your output and identify the ciphers that you think should be excluded but still show up ? 
Just a word of caution, the cipher list that you are using is still weak. If you are looking to provide better security, I would recommend checking this out.

Forum Discussion

Excluding Cipher List

2 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

Cipher Suites Supported (12.1.5.3)

iRule exclude URI

Cipher Suite Practices and Pitfalls

LTM Cipher rule

Disabling Weak Ciphers