Forum Discussion
Sean_Gray_14855
Nimbostratus
NimbostratusEnabling PFS
Hi everyone, I've been trying to get PFS enabled on my LTM (ver 11.4.1) and am running into a blocker. I've tried various cipher string options and have no luck so far. I've also opened a ticket wi...
JMart_143192Nimbostratus
NimbostratusHello everyone,
I am trying to get the PFS enabled on my platform, I have the following profile enabled:
ltm profile client-ssl /Common/clientssl_HB_users {
app-service none
ca-file /Common/cert.crt
cert /Common/cert_2015.crt
ciphers DEFAULT:!COMPAT:ECDHE+AES:ECDHE+3DES:AES:3DES:!MD5:!EXPORT:!DES:!EDH:!RC4
defaults-from /Common/clientssl
key /Common/cert_2015.key
options { dont-insert-empty-fragments no-sslv3 }
renegotiation disabled
I'm getting and A- on SSL Test and I need to upgrade it, My platform is on version 11.4.1 HF 6. Could you help me to solutionate this? Thank you so much! Thank you so much.
Steve_M__153836Nimbostratus
NimbostratusThere are many things that go into that grade. I know there are are two renegotiation settings in the profile. Make sure the one you have disabled is the one that corresponds to client-side renegotiation. Also found this in Qualys' recommendations (https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices.pdf).
"3DES provides about 112 bits of security. This is below the recommended minimum
of 128 bits, but it’s still strong enough. A bigger practical problem is that
3DES is much slower than the alternatives. Thus, we don’t recommend it for performance
reasons, but it can be kept at the end of the cipher list for interoperability
with very old clients."
If there is anything from the result that states why you received the grade you did please post that so we can review it.