Achieving an SSL Labs A+ score with F5 products
Overview
Transport Layer Security (TLS, formerly SSL or Secure Sockets Layer) is a very well-established layer 5 protocol with many moving parts. It has been augmented significantly over the years to address a seemingly endless series of new requirements and vulnerabilities. Despite its significant maturity, TLS remains a misunderstood system that organizations struggle with.
This article aims to describe what is required to achieve a good TLS configuration on F5 products, from the point of view of an industry standard SSL Labs testing tool from Qualys.
Generally, getting a good score (at the moment!) from SSL Labs involves a few main points:
- Restricting the supported protocols to TLS 1.2 and 1.3
- Disabling weak ciphers, algorithms, and configuration options
- Enabling HTTP Strict Transport Security (HSTS).
If you do the above things, you should easily be able to achieve an A or A+ score.
Having HSTS enabled means that a client browser will always try to connect to your site using HTTPS. You should be somewhat cautious when enabling HSTS, as this setting is cached by the client browser (for a definable period). If you had a catastrophe with your site, it could potentially leave it unreachable as browsers would never try to connect via HTTP. In my view, the risk is low and the reward is high.
F5 Distributed Cloud
If you have an HTTPS-enabled Load Balancer configuration configured on F5 Distributed Cloud, then this task couldn't be easier. The 'TLS Security Level' setting of 'High' should get you an 'A' score, and all you need to do to achieve an 'A+' is enable HSTS.
Make sure 'TLS Security Level' is set to 'High', tick the 'Add HSTS Header' option and pat yourself on the back because you're all done.
F5 BIG-IP
To securely configure an HTTPS service on a BIG-IP, we are going to configure two objects, an HTTP profile and an SSL profile. This article will presume that you have an existing Virtual Server and other underlying configuration (SSL certificates, etc).
SSL profile
The SSL profile needs to be using a cipher group such as 'f5-secure' and the following options set: No SSL, No DTLS, No TLS v1.1, Single DH use, No DTLS v1.2, No SSLv3, No TLSv1. I also recommend changing the SSL signing hash algorithm to SHA256 or SHA384.
A sample Client SSL configuration looks like this:
ltm profile client-ssl clientssl_Mysite-2023 {
cert-key-chain {
Mysite-Chain-0 {
cert Mysite-2023
chain Mysite-2023
key Mysite-2023
}
}
cipher-group f5-secure
ciphers none
defaults-from clientssl
options { dont-insert-empty-fragments no-ssl no-dtls no-tlsv1.1 single-dh-use no-dtlsv1.2 no-dtlsv1 no-sslv3 no-tlsv1 }
ssl-sign-hash sha384
}
HTTP profile
The HTTP profile also needs some changes to insert the headers associated with HSTS:
ltm profile http http_Mysite-2023 {
defaults-from http
hsts {
include-subdomains enabled
maximum-age 31536000
mode enabled
preload disabled
}
proxy-type reverse
}
If you are using iRules to do other HTTP transforms, then you may need to do the HSTS HTTP header insertions in an iRule due to the order of operations of the TMM proxy.
These instructions have been developed on TMOS 17.1. Similar results should be possible on older versions back to TMOS 14.1. Anything older won't support the requisite ciphers and protocols required for a good score.
NGINX Plus
Because NGINX has such strong community support, the TLS security settings required for a good SSL Labs score with NGINX Plus are easily found.
The settings below will do the trick:
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
ssl_buffer_size 4k;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
If you are using LetsEncrypt, you may find these settings are automatically installed for you when certbot manages your certificates.
For a more thorough discussion of configuring TLS on NGINX+, please review this article.
Other considerations
Disabling TLS 1.1 (and older) as described in this guide will mean that old browsers can no longer connect to your site using HTTPS. Browsers that can't support at least TLS 1.2 probably shouldn't be used anymore, as there is likely a very large number of other problems they are vulnerable to. Some organizations create a non-SSL landing page that presents a "sorry" page for such browsers. I can envisage a little logic in an iRule that checks for old HTTP User Agent's and redirects to a "sorry" page, while newer browsers are redirected to a HTTPS site.
Another piece of the puzzle to consider is DNS configuration—which is a topic large enough for its own post. That aside, it is worth mentioning that you should implement a CAA record (Certificate Authority Authorization) that defines which TLS Certificate Authorities are allowed to issue certificates for your DNS domain. It is a simple change that SSL Labs looks for in its tests (though it doesn't appear to change the score).
The DNS record is similar to below:
example.org. CAA 128 issue "letsencrypt.org"
For more information, look at RFC 6844.
Conclusion
These instructions to achieve a good SSL Labs score and the required configurations are valid at the time of published, but a good security posture is a moving target and as such requires constant evaluation. That is one distinct advantage of F5 Distributed Cloud—the configurations are constantly being analyzed and enhanced behind-the-scenes by a team of expert engineers.