Hi Nuruddin,
What version (including HF if any) are you running? Because the default cipher suites for the keyword DEFAULT that comes with different bigip versions are different.
For e.g. on a 11.6-HF6, you can use 'ECDHE:DEFAULT:!DHE:!3DES' which will produce the following cipher suites:
tmm --clientciphers 'ECDHE:DEFAULT:!DHE:!3DES'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA
2: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA
3: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA
4: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA
5: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA
6: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA
7: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA
8: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA
9: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA
10: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA
11: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA
12: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA
13: 53 AES256-SHA 256 TLS1 Native AES SHA RSA
14: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA
15: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA
16: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA
17: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA
18: 47 AES128-SHA 128 TLS1 Native AES SHA RSA
19: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA
20: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA
21: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA
In case if you don't want to support TLSv1, you can use 'ECDHE:DEFAULT:!DHE:!3DES:!TLSv1' which produces the following (on 11.6-HF6):
tmm --clientciphers 'ECDHE:DEFAULT:!DHE:!3DES:!TLSv1'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA
2: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA
3: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA
4: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA
5: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA
6: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA
7: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA
8: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA
9: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA
10: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA
11: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA
12: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA
13: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA
14: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA
15: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA
16: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA
17: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA
If you also do not want to use the weaker SHA1, you can use: 'ECDHE:DEFAULT:!DHE:!3DES:!TLSv1:!SHA1' which will produce the following:
tmm --clientciphers 'ECDHE:DEFAULT:!DHE:!3DES:!TLSv1:!SHA1'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA
2: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA
3: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA
4: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA
5: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA
6: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA
7: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA
But in this case remember that you will end up with only TLS1.2 cipher suites. That means those older clients which has only support for TLSv1.1 will be affected. So depending on your requirement, configure the appropriate cipher suite string.
Like I said earlier the default cipher suites for the keyword 'DEFAULT' is different for different BIGIP versions. So better check the above commands from the exact version you are using.
-- Saravanan