SSL Labs Best Case Grades for Older TMOS Versions

Aspiring for that A+ rating on Qualys SSL Labs? F5er Brandon Frelich went to work to determine the best case scenarios for older versions of TMOS. Quite an engaging project, hopefully you enjoy readi...
Published Mar 16, 2016
Version 1.0
LTM
security
ssl
Simon_Waters_13's avatar
Simon_Waters_13
Icon for Cirrostratus rankCirrostratus
Mar 17, 2016
Recent F5 firmware supports 4096-bit RSA keys, which will boost www.f5.com on key exchange to 100%, at some slight performance cost. Not sure if this is rational, as it does have performance hit, and significant attacks against 2048 RSA keys would probably be better aimed at the CAs keys. Although arguably it still protects actual traffic better, making it harder to decrypted archived messages, so we went with the longest keys supported. I've put in the first proposal for using HPKP to avoid relying on these security lightweights like the CAs ;)