Forum Discussion
BigIP 11.6 HF4 + SSL ciphers
This is working for us to get an A+ on SSLLabs and 'is using a modern cipher suite' in chrome 44. Of course HSTS must be enabled to get the A+.
!LOW:!SSLv3:!MD5:!RC4-SHA:!DHE:!EXPORT:ECDHE+AES-GCM:ECDHE:RSA+AES:RSA+3DES
Here's the rational and process:
For reference, here's the DEFAULT for 11.6:
!LOW:!SSLv3:!MD5:!RC4-SHA:!EXPORT:DHE+AES-GCM:DHE+AES:DHE+3DES:AES-GCM+RSA:RSA+AES:RSA+3DES:ECDHE+AES-GCM:ECDHE+AES:ECDHE-RSA-DES-CBC3-SHA
1) Starting with the exclude list from the 11.6 DEFAULT:
!LOW:!SSLv3:!MD5:!RC4-SHA:!EXPORT
2) Get rid of the DHE too since SSLLabs sees them as weak and there are other ciphers to support older browsers:
!LOW:!SSLv3:!MD5:!RC4-SHA:!DHE
3) Prioritize the elliptic curve diffie-helman cipher that chrome likes:
!LOW:!SSLv3:!MD5:!RC4-SHA:!DHE:!EXPORT:ECDHE+AES-GCM
4) Prioritize all other elliptic curve diffie-helman ciphers so clients prefer forward secrecy ciphers:
!LOW:!SSLv3:!MD5:!RC4-SHA:!DHE:!EXPORT:ECDHE+AES-GCM:ECDHE
5) Include other old ciphers from the DEFAULT to handle old Java and android browsers:
!LOW:!SSLv3:!MD5:!RC4-SHA:!DHE:!EXPORT:ECDHE+AES-GCM:ECDHE:RSA+AES
6) Include other old ciphers from the DEFAULT to handle IE8/XP:
!LOW:!SSLv3:!MD5:!RC4-SHA:!DHE:!EXPORT:ECDHE+AES-GCM:ECDHE:RSA+AES:RSA+3DES
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com