Forum Discussion
Joe_Pipitone
Nimbostratus
NimbostratusBigIP 11.6 HF4 + SSL ciphers
We've recently upgraded to 11.6 to eliminate Chrome's obsolete cryptography message. I have an iRule that is allowing me to perform Strict Transport Security (HSTS), allowing us to obtain an A+ rati...
Brandon_12856Nimbostratus
NimbostratusThis is working for us to get an A+ on SSLLabs and 'is using a modern cipher suite' in chrome 44. Of course HSTS must be enabled to get the A+.
!LOW:!SSLv3:!MD5:!RC4-SHA:!DHE:!EXPORT:ECDHE+AES-GCM:ECDHE:RSA+AES:RSA+3DESHere's the rational and process:
For reference, here's the DEFAULT for 11.6:
!LOW:!SSLv3:!MD5:!RC4-SHA:!EXPORT:DHE+AES-GCM:DHE+AES:DHE+3DES:AES-GCM+RSA:RSA+AES:RSA+3DES:ECDHE+AES-GCM:ECDHE+AES:ECDHE-RSA-DES-CBC3-SHA1) Starting with the exclude list from the 11.6 DEFAULT:
!LOW:!SSLv3:!MD5:!RC4-SHA:!EXPORT2) Get rid of the DHE too since SSLLabs sees them as weak and there are other ciphers to support older browsers:
!LOW:!SSLv3:!MD5:!RC4-SHA:!DHE3) Prioritize the elliptic curve diffie-helman cipher that chrome likes:
!LOW:!SSLv3:!MD5:!RC4-SHA:!DHE:!EXPORT:ECDHE+AES-GCM4) Prioritize all other elliptic curve diffie-helman ciphers so clients prefer forward secrecy ciphers:
!LOW:!SSLv3:!MD5:!RC4-SHA:!DHE:!EXPORT:ECDHE+AES-GCM:ECDHE5) Include other old ciphers from the DEFAULT to handle old Java and android browsers:
!LOW:!SSLv3:!MD5:!RC4-SHA:!DHE:!EXPORT:ECDHE+AES-GCM:ECDHE:RSA+AES6) Include other old ciphers from the DEFAULT to handle IE8/XP:
!LOW:!SSLv3:!MD5:!RC4-SHA:!DHE:!EXPORT:ECDHE+AES-GCM:ECDHE:RSA+AES:RSA+3DES