Forum Discussion
bkhowson
Nimbostratus
NimbostratusSSLLabs A+, F5 LTM 11.4
We are testing a configuration to achieve an A+ grade on the SSLLabs.com server test.
The "DEFAULT" ciphers is documented in sol13156 and sol13171.
DEFAULT = NATIVE:!MD5:!EXPORT:!DES:!DHE:...
Stefan_Klotz
Cumulonimbus
CumulonimbusFor version 11.4.1 we are using the following cipher string:
!COMPAT:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA:ECDHE+3DES:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:3DES:!MD5:!EXPORT:!DES:!EDH:!SSLv3:!RC4:!TLSv1
This results in the following available ciphers and order:
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA
1: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA
2: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA
3: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA
4: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA
5: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA
6: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA
7: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA
8: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA
9: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA
10: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA
11: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA
12: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA
13: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA
14: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA
15: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA
16: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA
We disabled TLS1.0 by default as long as we don't have a dedicated requirement for any old browsers/clients which needs to be supported. And we also disabled Renegotiation in the SSL profile.
Any concerns about that?
If you are interested I raised a dedicated discussion for version 11.5 here.
Ciao Stefan 🙂
