Forum Discussion
The best ciphersuite
You should update to the latest hotfix to patch POODLE (TLS) ASAP. As for BEAST/RC4, they both can;t be mitigated server side unless you remove TLSv1.0 support, which generally isn't possible yet for most people as its still widely used. I would recommend something like 'DEFAULT:!SSLv3:!RC4' and run the latest hotfix. The need for !SSLv3 will be dependent on the version you are running. Since BEAST is considered to be mostly mitigated client side it is the lesser evil vs RC4. RC4 is considered to be "weak" and should be disabled when possible. What version of BigIP are you running?
- Brad_ParkerMar 02, 2015CirrusSo with 11.4.1 you should upgrade to at least HF6 and 'DEFAULT:!SSLv3:!RC4' will mitigate everything except for TLSv1.0 BEAST, but ssllabs won't ding you for it as it is mitigate client side in all up-to-date browsers.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com