Fixing SSL Labs Grade on F5 Big-IP – Weak Cipher Suites


Today we’ll take a look at fixing the error that kept us from getting a grade better than B last time.

Last time we were left with this test result:


“This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.”

This is a error pertaining to how the F5 suggests cipher suites to the client, and particularly, in what order. Sadly, this is a bit of a whack-a-mole, from time to time Qualys updates what they consider to be secure cipher suites, and then you need to go in and update your cipher lists. Usually, this happens once or twice a year. The problem is, that you can’t really just plainly disable all the older ciphers, as newer ones aren’t supported by older clients, so you need to disable the really old and horrible ciphers, while reordering them to always try the best ciphers first, and then falling back upon the less preferable ones until you find the best cipher that the client will support.

Luckily Mr. Kai Wilke of F5 has posted a short how-to on what cipher list to use, as well as an updated one when Qualys changed some things around.

So, according to Kai, the latest and greatest cipher list (as of Feb 2017) is the following, reproduced here for completeness sake:


So, now we need to apply this cipher list, and as luck will have it, it’s again under the SSL Profile that we improved last time.


Go under  Local Traffic -> Profiles -> SSL -> Client and select the Profile you’d like to edit.


After selecting Configuration: Advanced at the top of the page, scroll down to Ciphers and check Custom at the right hand side.


Click the radio button Cipher String and insert the string we borrowed from F5 into the text box.

After this you can just save your profile and rerun the SSL Test

A Grade

Which should give you the sought-after A Grade!


Categories: Networks, Tech

Tags: , , , , , ,

1 reply


  1. Fixing SSL Labs Grade on F5 Big-IP – ECDH public server param reuse – Grumpy Techie

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: