Forum Discussion
Get A Grade on SSL LAB for VIP
Try this one which I found in a thread on the old devcentral:
!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:!3DES:-MD5:-SSLv3:-RC4
I also have the following options enabled in the SSL client profile: no SSLV3, no TLSv1, and no TLSv1.1.
Here's how it comes out on SSL labs:
I find that I can get similar results locally using nmap's nse script to enum-ssl-ciphers like so:
PS C:\Users\user\nmap-7.70> .\nmap.exe -sV --script ssl-enum-ciphers -p 443 hostname.organization.com
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-27 12:33 Eastern Daylight Time
Nmap scan report for 123.123.123.123
Host is up (0.00s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/http httpd
|_http-server-header:
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
Service Info: OS: OS; CPE: cpe:/o:cpe
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.81 seconds
It's nice to not be dependent on an external resource for a quick, repeatable check and also not forget to hide the results.
Good luck!
Can u please suggest a cipher string for V 13.0 as grade has been changed but Weak Cipher s issue still persists .
Here is the string :
!SSLv2:!TLSv1:!TLSv1_1:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:!SSLv3
- Mark_GallagherAug 28, 2019Altocumulus
This works but I think you'll definitely see downlevel client failures:
!SSLv2:!TLSv1:!TLSv1_1:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:!ECDHE+AES:!RSA+AES-GCM:!RSA+AES:!ECDHE+3DES:!RSA+3DES:!SSLv3
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com