Forum Discussion

Nimbostratus

Apr 17, 2014

Enabling PFS

Hi everyone, I've been trying to get PFS enabled on my LTM (ver 11.4.1) and am running into a blocker. I've tried various cipher string options and have no luck so far. I've also opened a ticket wi...

Nimbostratus

Got this working fine a while ago using the above suggestions. I did run into a problem with killing certain versions of IE and Windows that I actually did want to support, so I ended up with the following as my cipher string which allowed me to support all of the OS/browser combos I wanted while also supporting PFS:

ECDHE+AES-GCM:NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:!ADH:!SSLv3:@SPEED

After doing this, setting up the iRule for HSTS, and renewing my cert with SHA-256 my site hit the "A+" mark with SSLLabs.

AJ_01_135899

Cirrostratus

Jun 02, 2015

Is this with a specific hotfix applied to 11.4.1? I was under the impression that RC4-SHA was the only POODLE-secure cipher on 11.4.1 (and RC4-SHA would automatically bump you down to a "C"). I'm also not seeing AES-GCM in the list on 11.4.1

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Enabling PFS

Recent Discussions

MAC address of deleted VS IP address still responsive

Different common name ssl acces 403 forbiddent

dynamic signature detection

DNS HM Probe issue

F5 looses the token for the first call

Related Content

SSL Orchestrator Advanced Use Cases: Enabling GCloud Organization Restrictions

Enable SAML Service Provider on F5 Distributed Cloud Application

Enable telnet on SSH

Enabling F5 Distributed Cloud Fraud and Risk Solutions with ForgeRock Connector

enable WebSocket profile.

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS