SSLlabs.com test capped to B

I am running 11.4.1 with HF9. My current SSL ciphers options are: !COMPAT:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA:ECDHE+3DES:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:3DES:!MD5:!EXPORT:!DES:!EDH:!SSLv3:!RC4:!TLSv1

Test for the certificate gives me B

This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.

From the tests to Diffie-Hellman implementation, I see:

Good News! This site uses a unique or infrequently used 1024-bit Diffie-Hellman group. You are likely safe, but it's still a good idea to generate a unique, 2048-bit group for the site.

Did anyone manage to get A/A+ on version 11.4.1?

Hannes_Rapp_162
Oct 12, 2015
Both A and A+ are possible on 11.4.1. You're losing some score because of 1028 bit key, but also 128bit SSL ciphers reduce your score a little. In regards to key strength, you can't do much unless you're willing to renew the certificate immediately. When the time comes, generate a new CSR based on a 4096 bit private key, and request a new certificate as your current one is coming closer to expiration. This is not urgent and can wait.

More information on SSL labs grading:

https://devcentral.f5.com/articles/security-sidebar-improving-your-ssl-labs-test-grade

Hannes_Rapp
Nimbostratus
Oct 12, 2015
Both A and A+ are possible on 11.4.1. You're losing some score because of 1028 bit key, but also 128bit SSL ciphers reduce your score a little. In regards to key strength, you can't do much unless you're willing to renew the certificate immediately. When the time comes, generate a new CSR based on a 4096 bit private key, and request a new certificate as your current one is coming closer to expiration. This is not urgent and can wait.

More information on SSL labs grading:

https://devcentral.f5.com/articles/security-sidebar-improving-your-ssl-labs-test-grade
- Rajesh_06_15705
  Nimbostratus
  Oct 12, 2015
  Here are nmap results for the certificate Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2015-08-24T00:00:00 | Not valid after: 2016-10-26T12:00:00 | MD5: bc3f 8d7a bd1e c80d aea7 ed33 d984 bda5 |_SHA-1: 6a4f c348 93db 9664 d02c 7e27 d1f0 e76c f8ae c8c0 | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | compressors: | NULL | cipher preference: server | warnings: | Key exchange parameters of lower strength than certificate key | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server | warnings: | Key exchange parameters of lower strength than certificate key | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | compressors: | NULL | cipher preference: server | warnings: | Key exchange parameters of lower strength than certificate key |_ least strength: C
- Rajesh_06_15705
  Nimbostratus
  Oct 12, 2015
  Made changes to ciphers to: !COMPAT:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA:ECDHE+3DES:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:3DES:!MD5:!EXPORT:!DES:!EDH:!SSLv3:!RC4:!TLSv1 This cipher set gave me A on ssllabs.com test
Hannes_Rapp_162
Nacreous
Oct 12, 2015
Both A and A+ are possible on 11.4.1. You're losing some score because of 1028 bit key, but also 128bit SSL ciphers reduce your score a little. In regards to key strength, you can't do much unless you're willing to renew the certificate immediately. When the time comes, generate a new CSR based on a 4096 bit private key, and request a new certificate as your current one is coming closer to expiration. This is not urgent and can wait.

More information on SSL labs grading:

https://devcentral.f5.com/articles/security-sidebar-improving-your-ssl-labs-test-grade
- Rajesh_06_15705
  Nimbostratus
  Oct 12, 2015
  Here are nmap results for the certificate Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2015-08-24T00:00:00 | Not valid after: 2016-10-26T12:00:00 | MD5: bc3f 8d7a bd1e c80d aea7 ed33 d984 bda5 |_SHA-1: 6a4f c348 93db 9664 d02c 7e27 d1f0 e76c f8ae c8c0 | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | compressors: | NULL | cipher preference: server | warnings: | Key exchange parameters of lower strength than certificate key | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server | warnings: | Key exchange parameters of lower strength than certificate key | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | compressors: | NULL | cipher preference: server | warnings: | Key exchange parameters of lower strength than certificate key |_ least strength: C
- Rajesh_06_15705
  Nimbostratus
  Oct 12, 2015
  Made changes to ciphers to: !COMPAT:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA:ECDHE+3DES:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:3DES:!MD5:!EXPORT:!DES:!EDH:!SSLv3:!RC4:!TLSv1 This cipher set gave me A on ssllabs.com test

Forum Discussion

SSLlabs.com test capped to B

Recent Discussions

Earth Simnavaz

Problem with lets encrypt and redirect after update

Should config via cli rather than gui?

Is a Dedicated Interface, VLAN, and Self IP Required for a VIP in an F5 Configuration?

question about getting hsl data to be formatted properly in splunk

Related Content

Blockchain security and CAP theorem

VIPTest: Rapid Application Testing for F5 Environments

Cap and not Cap uri

Testing the security controls for a notional FDX Open Banking deployment

DC failover test via GTM

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS