For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mike_Gorski_625's avatar
Mike_Gorski_625
Icon for Nimbostratus rankNimbostratus
May 20, 2015

You can get an A+ without having to re-order the cipher preference.

 

This works fine (v11.5.2): ALL:!DH:!ADH:!EDH:!MD5:!EXPORT:!DES:!RC4

 

However, in order to get A+ you need HSTS configured (180+ days) and inserting headers on the "/" URI (which is what SSL Labs uses to test with). In an example virtual I have locked down so only certain IPs can get to it and all others get an HTTP 400 response - with that setup inserting the Strict-Transport-Security header in the HTTP_RESPONSE event does not work since the "HTTP::respond 400" command in the HTTP_REQUEST does not fire the HTTP_RESPONSE event. What needs to happen is to have any iRule which responds directly to client for the "/" URI via HTTP::respond, HTTP::redirect, etc include the Strict-Transport-Security header as part of that response. This is rather arbitrary, your site can support HSTS in general, without supporting it on "/" - where you just 301/302 - but SSL Labs won't give you the A+ unless they see that header in the HTTP response for that hit.