For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

swjo_264656's avatar
swjo_264656
Icon for Cirrostratus rankCirrostratus
Aug 23, 2017

Getting an awesome Qualys SSL-Labs rating

Hi guys   I have to work to get A or A+ grade by test SSL-Labs.   I`ve examine this Article but not clear.   https://devcentral.f5.com/questions/howto-getting-an-awesome-qualys-ssl-labs-rati...
application delivery
LTM
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Oct 16, 2017

Hi Swjo,

 

Win XP / IE8 user would be reject, is there any possible method using 3DES and get over A grade?

 

The cipher string I've posted in the HowTo does NOT exclude every single DES cipher. It just disabled DHE+DES based ciphers, since F5 does not support DHE keys with appropiate key sizes.

 

Windows XP / IE8 will be still supported if IE8 has turned on TLS1.0 / TLS1.1. You can see this by

 

Question 2.

 

ECDH resuse and setting HSTS headers are two seperate issues. ECDH resuse will make sure that you generate a fresh ECDH key pair for ever single SSL session and HSTS will make sure to mark you site as SSL-only so that clients will stop to send plaintext HTTP requests...

 

Note: You should also set the "SSL Renegotiation Size" to "1 GB" to counter sweet32 attacks.

 

Cheers, Kai