Forum Discussion
Joe_Pipitone
Nimbostratus
NimbostratusBigIP 11.6 HF4 + SSL ciphers
We've recently upgraded to 11.6 to eliminate Chrome's obsolete cryptography message. I have an iRule that is allowing me to perform Strict Transport Security (HSTS), allowing us to obtain an A+ rati...
By the way, it seems like you disabled everything except perhaps: ECDHE+AES-GCM.
That will break a lot of software out there.
Not all ciphers are considered weak.
I think disabling SSLv3, MD5 and RC4 should be enough to get you A+ rating.
Also, you should not adhere too strongly to SSLLabs rating.
You should only be concerned about the score based on how much strength you want, vs how much older software you wish to support. RC4 and SSLv3 are generally safe to disable, as most software in the last 10 or so years should be able to do fine without these.
Also, if you don't order the ciphers by Speed (@speed), then the LTM will always choose the strongest Cipher presented by the client that it also supports. I believe that if you order them by speed, then the LTM chooses the fastest Cipher that the client also supports, and not necessarily the strongest. This doesn't seem like what you want.
Yes, that is ok in my view too. Not all browsers support the ciphers that provide perfect forward secrecy, and if you were to disable ciphers that don't have PFS, then your site would be broken for those browsers or clients.