Forum Discussion
Sean_Gray_14855
Apr 17, 2014Nimbostratus
Enabling PFS
Hi everyone, I've been trying to get PFS enabled on my LTM (ver 11.4.1) and am running into a blocker. I've tried various cipher string options and have no luck so far. I've also opened a ticket wi...
JMart_143192
Nimbostratus
Hello everyone,
I am trying to get the PFS enabled on my platform, I have the following profile enabled:
ltm profile client-ssl /Common/clientssl_HB_users {
app-service none
ca-file /Common/cert.crt
cert /Common/cert_2015.crt
ciphers DEFAULT:!COMPAT:ECDHE+AES:ECDHE+3DES:AES:3DES:!MD5:!EXPORT:!DES:!EDH:!RC4
defaults-from /Common/clientssl
key /Common/cert_2015.key
options { dont-insert-empty-fragments no-sslv3 }
renegotiation disabled
I'm getting and A- on SSL Test and I need to upgrade it, My platform is on version 11.4.1 HF 6. Could you help me to solutionate this? Thank you so much! Thank you so much.
Steve_M__153836
Aug 14, 2015Nimbostratus
There are many things that go into that grade. I know there are are two renegotiation settings in the profile. Make sure the one you have disabled is the one that corresponds to client-side renegotiation. Also found this in Qualys' recommendations (https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices.pdf).
"3DES provides about 112 bits of security. This is below the recommended minimum
of 128 bits, but it’s still strong enough. A bigger practical problem is that
3DES is much slower than the alternatives. Thus, we don’t recommend it for performance
reasons, but it can be kept at the end of the cipher list for interoperability
with very old clients."
If there is anything from the result that states why you received the grade you did please post that so we can review it.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects