Forum Discussion

Altocumulus

Mar 20, 2014

Best practice for clientssl profiles

Can anyone recommend their preferred settings for clientssl profiles? What cipher string, options and other flags do you use? I usually test mine using , but get at best an "A-".

Cirrus

Jan 20, 2015

Just updated LTMs to 11.6.0 HF3, and that seems to automatically get you an A-. Seems Qualys SSL Labs wants you to emphasize Perfect Forward Secrecy, to get the full "A". After a lot of trial & error in a test SSL client profile (with default clientssl as parent), I managed to get an "A" by using this:

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-CBC-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-CBC-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-DES-CBC3-SHA:AES128-SHA256:DES-CBC3-SHA:!SSLv3

The only other thing not default, was checking the "Strict Resume" box. The only browser that is incompatible is IE 6/XP.

I have yet to test this for any speed penalties (PFC is said to be slower).

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)