Forum Discussion

BinaryCanary_19's avatar
BinaryCanary_19
Historic F5 Account
May 05, 2015

By the way, it seems like you disabled everything except perhaps: ECDHE+AES-GCM.

 

That will break a lot of software out there.

 

Not all ciphers are considered weak.

 

I think disabling SSLv3, MD5 and RC4 should be enough to get you A+ rating.

 

Also, you should not adhere too strongly to SSLLabs rating.

 

You should only be concerned about the score based on how much strength you want, vs how much older software you wish to support. RC4 and SSLv3 are generally safe to disable, as most software in the last 10 or so years should be able to do fine without these.

 

Also, if you don't order the ciphers by Speed (@speed), then the LTM will always choose the strongest Cipher presented by the client that it also supports. I believe that if you order them by speed, then the LTM chooses the fastest Cipher that the client also supports, and not necessarily the strongest. This doesn't seem like what you want.

 

  • Joe_Pipitone's avatar
    Joe_Pipitone
    Icon for Nimbostratus rankNimbostratus
    May 05, 2015
    OK great. Thank you for the explanation. This is what I'm going with for now - any suggestions? DEFAULT:!SSLv3:!MD5:!RC4:!EXPORT Do I need to specify !RC4 or !RC4-SHA? The test results came back A- stating that forward secrecy was supported with some browsers. I can live with that.
  • BinaryCanary_19's avatar
    BinaryCanary_19
    Historic F5 Account
    May 05, 2015
    Yes, that is ok in my view too. Not all browsers support the ciphers that provide perfect forward secrecy, and if you were to disable ciphers that don't have PFS, then your site would be broken for those browsers or clients.