Forum Discussion
Mike_Morse_1839
Nimbostratus
NimbostratusThe best ciphersuite
Hi
We host several virtual servers on our LTM and assign SSL profiles to them with certain ciphersuites, I wish to improve them.
My question is, can anyone suggest an appropriate cipher suite to ...
Brad_Parker_139
Nacreous
NacreousYou should update to the latest hotfix to patch POODLE (TLS) ASAP. As for BEAST/RC4, they both can;t be mitigated server side unless you remove TLSv1.0 support, which generally isn't possible yet for most people as its still widely used. I would recommend something like 'DEFAULT:!SSLv3:!RC4' and run the latest hotfix. The need for !SSLv3 will be dependent on the version you are running. Since BEAST is considered to be mostly mitigated client side it is the lesser evil vs RC4. RC4 is considered to be "weak" and should be disabled when possible. What version of BigIP are you running?
- Brad_Parker_139So with 11.4.1 you should upgrade to at least HF6 and 'DEFAULT:!SSLv3:!RC4' will mitigate everything except for TLSv1.0 BEAST, but ssllabs won't ding you for it as it is mitigate client side in all up-to-date browsers.