The only reason you would need the CLI is to perform the `tmm --clientciphers`

command to detail what ciphers a string will create.

How about this one? You then just need to add this to the cipher string in the clientssl profile

```
tmm --clientciphers 'ECDHE_ECDSA:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:DHE+AES-GCM:DHE+AES:DHE+3DES:RSA+AESGCM:-MD5:-SSLv3:-RC4:-3DES'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49196 ECDHE-ECDSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_ECDSA
1: 49188 ECDHE-ECDSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_ECDSA
2: 49162 ECDHE-ECDSA-AES256-SHA 256 TLS1 Native AES SHA ECDHE_ECDSA
3: 49162 ECDHE-ECDSA-AES256-SHA 256 TLS1.1 Native AES SHA ECDHE_ECDSA
4: 49162 ECDHE-ECDSA-AES256-SHA 256 TLS1.2 Native AES SHA ECDHE_ECDSA
5: 49195 ECDHE-ECDSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_ECDSA
6: 49187 ECDHE-ECDSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_ECDSA
7: 49161 ECDHE-ECDSA-AES128-SHA 128 TLS1 Native AES SHA ECDHE_ECDSA
8: 49161 ECDHE-ECDSA-AES128-SHA 128 TLS1.1 Native AES SHA ECDHE_ECDSA
9: 49161 ECDHE-ECDSA-AES128-SHA 128 TLS1.2 Native AES SHA ECDHE_ECDSA
10: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
11: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA
12: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA
13: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA
14: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA
15: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA
16: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA
17: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA
18: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA
19: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA
20: 159 DHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 EDH/RSA
21: 158 DHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 EDH/RSA
22: 107 DHE-RSA-AES256-SHA256 256 TLS1.2 Native AES SHA256 EDH/RSA
23: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA
24: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA
25: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA
26: 57 DHE-RSA-AES256-SHA 256 DTLS1 Native AES SHA EDH/RSA
27: 103 DHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 EDH/RSA
28: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA
29: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA
30: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA
31: 51 DHE-RSA-AES128-SHA 128 DTLS1 Native AES SHA EDH/RSA
```

By the way, you didn't specify TLS version so this includes all TLS versions. If you add -TLSv1 at the end that would disallow TLS 1.0

Rgds
N

I've reviewed it. Just want to confirm validity of this document vs the current SSL recommendations as it was still published last 2015.

The SSL Labs list of ciphers to include and the order of priority is certainly the most accurate and updated.

DEFAULT is set to the best balance of security and performance at the time of a given release. DEFAULT is updated with each release of TMOS. The Recommended Practices Guide covers how to customize the cipher string to meet updated standards as indicated by SSL Labs or other standards-setting bodies.

Please check the section "Fine-Tuning Data Protection" starting on page 8 on how to build a cipher string to create the list of ciphers in your original post.

Based of the instruction, I see that it requires me to access F5 via SSH to enter this commands. I wonder if there's a way to do it via GUI? I am not too comfortable doing this via SSH.

Also, the exact instruction looks to be vague. BTW, as a reference, my F5 is currently running under 12.1.2 HF2.

BTW, I tried the one mentioned in the instruction stating:

The DEFAULT cipher string included in BIG-IP version 12.0 will yield a B grade but offers full hardware acceleration. To get that coveted A+ grade, an administrator would need to have a fairly restrictive cipher list. For example “!SSLv3:!DHE:ECDHE:RSA+HIGH” will get an A grade on SSL labs but would require every user to have a very recent browser.

However, the result gave me a Grade C rating.