Forum Discussion
AltocumulusBest practice for clientssl profiles
Can anyone recommend their preferred settings for clientssl profiles? What cipher string, options and other flags do you use?
I usually test mine using , but get at best an "A-".
3 Replies
Vitaliy_SavransNacreous
Hi, my settings are:
NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4+RSA:@SPEEDGood article about ciphers link
uniMost of those are not needed. The defaults ciphers (11.4 and & 11.5) are tighter that than now I think. I was more interested in the other clientssl profile settings anyway.
OTS02Cirrus
Just updated LTMs to 11.6.0 HF3, and that seems to automatically get you an A-. Seems Qualys SSL Labs wants you to emphasize Perfect Forward Secrecy, to get the full "A". After a lot of trial & error in a test SSL client profile (with default clientssl as parent), I managed to get an "A" by using this:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-CBC-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-CBC-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-DES-CBC3-SHA:AES128-SHA256:DES-CBC3-SHA:!SSLv3
The only other thing not default, was checking the "Strict Resume" box. The only browser that is incompatible is IE 6/XP.
I have yet to test this for any speed penalties (PFC is said to be slower).
