Getting an awesome Qualys SSL-Labs rating

Question

Hi guys&nbsp;
I have to work to get A or A+ grade by test SSL-Labs.&nbsp;
I`ve examine this Article but not clear.&nbsp;
https://devcentral.f5.com/questions/howto-getting-an-awesome-qualys-ssl-labs-rating-feb-2017-update-51489&nbsp;
Question 1. 
by adjusting ciphers &nbsp;
!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:-MD5:-SSLv3:-RC4&nbsp;
Win XP / IE8 user would be reject, is there any possible method using 3DES and get over A grade?&nbsp;
Question 2. 
regarding ECDH public server param reuse : Yes&nbsp;
It seems that there are two solutions.
1) Client SSL profile --&gt; option list --&gt; Single DH use&nbsp;
2) set i-Rule&nbsp;
when HTTP_RESPONSE  {
    HTTP::header insert "Strict-Transport-Security" "max-age=15552000"
}&nbsp;
which one is more effective to solve ECDH public server param reuse?&nbsp;
thank you.&nbsp;

swjo_264656 · Answer

Does i-Rule means insert cookie(Strict-Transport-Security) on HTTP header,&nbsp;
Do I need to set the cookie value at random, or should I set it to that value?&nbsp;

stanislas_piro2 · Answer

Hi,
All answers for your questions are on the Article you provide links and its comments.
The irule insert HTTP header named Strict-Transport-Security. this is not a cookie.
In version 12.0 and above, this configuration can be done without irule in HTTP profile (create a new one assigned only on HTTPS virtual servers)

kai_wilke · Answer

Hi Swjo,&nbsp;

Win XP / IE8 user would be reject, is there any possible method using 3DES and get over A grade?&nbsp;

The cipher string I've posted in the HowTo does NOT exclude every single DES cipher. It just disabled DHE+DES based ciphers, since F5 does not support DHE keys with appropiate key sizes.&nbsp;
Windows XP / IE8 will be still supported if IE8 has turned on TLS1.0 / TLS1.1. You can see this by &nbsp;

Question 2. &nbsp;

ECDH resuse and setting HSTS headers are two seperate issues. ECDH resuse will make sure that you generate a fresh ECDH key pair for ever single SSL session and HSTS will make sure to mark you site as SSL-only so that clients will stop to send plaintext HTTP requests...&nbsp;
Note: You should also set the "SSL Renegotiation Size" to "1 GB" to counter sweet32 attacks.&nbsp;
Cheers, Kai&nbsp;

Forum Discussion

Getting an awesome Qualys SSL-Labs rating

Recent Discussions

XC Bot defense question

LTM Rule, iRule, or Brute Force Configuration to Limit URL Access

NetScaler to F5 Migration

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Related Content

Achieving an SSL Labs A+ score with F5 products

SSL forward proxy on VE Lab License possible?

Let's Get Critical, Critical

Getting Started on DevCentral

Security Sidebar: Improving Your SSL Labs Test Grade

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS