Security Sidebar: Improving Your SSL Labs Test Grade
Published Dec 23, 2014
Version 1.0Was this article helpful?
GeneUWG - Try "DEFAULT:!3DES:!DHE"
DHE keys are 1024 on BIG-IP and that's fixed. And 3DES, while technically 168bit, is only 112bit strength due to well known attacks. Plus now there is Sweet32 which attacks 64bit block ciphers - like DES/3DES.
I also recommend against using '@SPEED'. That sorts based on performance - but weaker ciphers are faster, so guess which are preferred. Right. So don't use it - or use @STRENGTH instead for the strongest cipher first.