Forum Discussion
CirrusSSL Labs A rating - 2017 Jan update
SSL Labs will change their rating. It will give penalties if still using 3DES with TLS 1.1 and newer protocol. How could I configure Bigip to support this ? But still support 3DES with TLS 1.0.
https://blog.qualys.com/ssllabs/2017/01/18/ssl-labs-grading-changes-january-2017
I´m using this chiper settings on the profile: !SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:-MD5:-SSLv3:-RC4:@STRENGTH
4 Replies
Leonardo_SouzaCirrocumulus
I don't think that is possible, when you disable 3DES it will be for all protocols.
You can check what protocols will be used with this command:
tmm --clientcipher "cipher"Your cipher in a v13 box, only shows AES.
- Kai_Wilke
MVP
Hi Magnus,
you may check out my post...
The post contains a chipher string that supports 3DES for TLS1.0, TLS1.1 and TLS1.2 but achives an A or even A+ rating by placing DES to the very buttom of the list.
Note: Please review the comments of my post. They are containing additional information to secure DH and 3DES usage.
Cheers, Kai
carlitos05Nimbostratus
Kai, your post does not exist any more?
- Lidev
Nacreous
Hi Carlitos,
The link is valid here :https://devcentral.f5.com/s/feed/0D51T00006aEjM9SAK
if you are running v13.x or 14.x of BIG-IP, you can now configure a custom cipher group using the Configuration utility.
Regards
