For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

SSL Labs Best Case Grades for Older TMOS Versions

Aspiring for that A+ rating on Qualys SSL Labs? F5er Brandon Frelich went to work to determine the best case scenarios for older versions of TMOS. Quite an engaging project, hopefully you enjoy readi...

Published Mar 16, 2016

Version 1.0

Icon for Admin rank

Admin

Christ Follower, Husband, Father, Technologist. I love community and I especially love THIS community. My background is networking, but I've dabbled in all the F5 iStuff, I'm a recovering Perl guy, and am very much a python enthusiast. Learning alongside all of you in this accelerating industry toward modern apps and architectures.

Icon for Admin rank

Admin

Christ Follower, Husband, Father, Technologist. I love community and I especially love THIS community. My background is networking, but I've dabbled in all the F5 iStuff, I'm a recovering Perl guy, and am very much a python enthusiast. Learning alongside all of you in this accelerating industry toward modern apps and architectures.

Simon_Waters_13

Icon for Cirrostratus rank

Cirrostratus

Mar 17, 2016

I agree Brian, it isn't clear 4096-bits keys are worth it, but hey it is nice to have one aspect of the F5 config score better than F5's ;) My paranoia is typical security paranoia (My predecessor in this role took part in the blacknet PGP key attack, and now he has all of facebook's resources at his disposal.....), plus demanding clients. For the service we put 4096-bit keys they already have PFS with common browsers, and have disabled DHE, and generally trying to stay ahead of the TLS issues. So when it comes to generate a key I use the longest I can. The hardware TLS termination is not currently anywhere near being the bottleneck, so the practical cost of longer keys is low unless traffic ramps up enormously. 2048 is now the recommended minimum length from NIST.