Forum Discussion
Optimal cipher string
So Just asking for some opinions here, this is my current optimal cipher string:
!SSLv3:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-AES128-CBC-SHA
I basically suggest lopping off ciphers from the right, until client apps stop working, and then add the last one back. Also I guess disable renogiation and enable strict transport security in the HTTP profile.
Does this seem reasonable? What else can be suggested?
//Jan
1 Reply
I would say on newer versions, 11.5 and later, the
cipher sets are already pretty good. Rarely have a reason to modify them anymore. Your current cipher is OK, but I don't like the length of its configuration. Maybe you can achieve the same outcome with less options? Give a try withDEFAULT
(in Bash) to see if the same outcome can be achieved with less.tmm --clientciphers 'DEFAULT:!exclusions'
In regards to enabling HSTS, it's a yes-go. In regards to (TLS/SSL?) renegotiation, can't give a definitive answer that would apply for 95% or more cases. If asked for my opinion, I'd say that in relation to TLS/SSL security or performance, the renegotiation setting doesn't change that much, but depending on your configuration, you can be susceptible to more DDOS attack vectors. My approach with this setting is to do what's best from anti-DDOS perspective. Some people have a different approach.
Article on the setting: https://devcentral.f5.com/articles/ssl-profiles-part-6-ssl-renegotiation
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com