Forum Discussion
BigIP 11.6 HF4 + SSL ciphers
By the way, it seems like you disabled everything except perhaps: ECDHE+AES-GCM.
That will break a lot of software out there.
Not all ciphers are considered weak.
I think disabling SSLv3, MD5 and RC4 should be enough to get you A+ rating.
Also, you should not adhere too strongly to SSLLabs rating.
You should only be concerned about the score based on how much strength you want, vs how much older software you wish to support. RC4 and SSLv3 are generally safe to disable, as most software in the last 10 or so years should be able to do fine without these.
Also, if you don't order the ciphers by Speed (@speed), then the LTM will always choose the strongest Cipher presented by the client that it also supports. I believe that if you order them by speed, then the LTM chooses the fastest Cipher that the client also supports, and not necessarily the strongest. This doesn't seem like what you want.
- Joe_PipitoneMay 05, 2015NimbostratusOK great. Thank you for the explanation. This is what I'm going with for now - any suggestions? DEFAULT:!SSLv3:!MD5:!RC4:!EXPORT Do I need to specify !RC4 or !RC4-SHA? The test results came back A- stating that forward secrecy was supported with some browsers. I can live with that.
- BinaryCanary_19May 05, 2015Historic F5 AccountYes, that is ok in my view too. Not all browsers support the ciphers that provide perfect forward secrecy, and if you were to disable ciphers that don't have PFS, then your site would be broken for those browsers or clients.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com