Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

HowTo: Getting an awesome Qualys SSL-Labs rating...

Hi Folks,

If you're required to achive top notch Qualys SSL-Labs ratings, you may adopt the settings below...

Howto achive a Qualys SSL-Labs "A" rating

To achive an "A" rating you need to change your Client_SSL_Profile settings, to ...

  • Exclude DHE based algorythms
  • Prefer ECDHE based algorythms

The resulting cipher list will then look like this...

Chipher-List (for v11 and v12):

!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:-MD5:-SSLv3:-RC4:@STRENGTH`

Note: The provided settings are used by F5 to secure the access to https://devcentral.f5.com/. Those settings provide a good compatibility while being secure... ;-)

Image Text

Howto achive a Qualys SSL-Labs "A+" rating

To achive an "A+" rating you need to change your Client_SSL_Profile settings as described above and in addition you need to send HSHL-Headers with long durations on every single request.

when HTTP_RESPONSE  {
    HTTP::header insert "Strict-Transport-Security" "max-age=15552000"
}

Image Text

Cheers, Kai

Additional search tags for the lovely Google bot:

Preventing Logjam Attack

Default SSL Profile is a little bit insecure

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits FS WEAK 128 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 1024 bits FS WEAK 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits FS WEAK 256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits FS WEAK 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits FS WEAK 128 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 1024 bits FS WEAK 112

3
Rate this Discussion
Comments on this Discussion
Comment made 09-Sep-2016 by The-messenger 348

Thanks, for a newby, how do you apply this?

0
Comment made 09-Sep-2016 by Josh Becigneul 1197

You may want to check out this series on working with SSL Profiles.

https://devcentral.f5.com/articles/ssl-profiles-part-1

2
Comment made 10-Sep-2016 by The-messenger 348

Excellent! Thank you

0
Comment made 07-Feb-2017 by alexandre.giraud@3sr.fr 70

Hi, Since new recently issue with 3DES, now for get an A+ you just need to remove all 3DES cipher. Here the list that provide A+ : !SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:-MD5:-SSLv3:-RC4:@STRENGTH

I noticed that SSL Labs report "ECDH public server param reuse" to YES as warning. I'm still looking where I've to do for get it as no-warning and publish a dedicated question : https://devcentral.f5.com/questions/ecdh-public-server-param-reuse-51496

Alex

0
Comment made 07-Feb-2017 by Kai Wilke 6534

Hi Alex,

you don't need to remove DES from the list. Just move them to the very buttom of your cipher suite list to maintain a A / A+ rating while still having support for WinXP/IE8 or other legacy clients.

HowTo: Getting an awesome Qualys SSL-Labs rating... (Feb 2017 Update)

https://devcentral.f5.com/questions/howto-getting-an-awesome-qualys-ssl-labs-rating-feb-2017-update-51489

Cheers, Kai

1
Comment made 07-Feb-2017 by alexandre.giraud@3sr.fr 70

Correct ! you rocks, thanks ;) And for not abuse, have you an idea about the settings "ECDH public server param reuse" ? Image Text

Thanks, Alex

0
Comment made 07-Feb-2017 by Kai Wilke 6534

Hi Alex,

you'll find the answer here... ;-)

https://devcentral.f5.com/questions/ecdh-public-server-param-reuse-51496

Cheers, Kai

0

Replies to this Discussion

placeholder+image

It's worth noting that Chrome 53 is soon to disable support for ciphers using DHE key exchange. https://www.thesslstore.com/blog/tracking-ssl-changes-chrome-53/ The big reason for this is the Logjam vulnerability.

Safari, in some recent version, disabled support for DHE ciphers as well.

0
placeholder+image

Hi Folks,

I wrote an updated posting to provide a new cipher suite order for the recent/very soon to come Qualys SSL-Lab grading criteria changes.

HowTo: Getting an awesome Qualys SSL-Labs rating... (Feb 2017 Update)

https://devcentral.f5.com/questions/howto-getting-an-awesome-qualys-ssl-labs-rating-feb-2017-update-51489

Cheers, Kai

0
placeholder+image

Hi Kai, Which field in the SSL profile do I need to populate with "when HTTP_RESPONSE..."?

0
Comments on this Reply
Comment made 24-Oct-2017 by Kai Wilke 6534

Hi Benjamin,

The "when HTTP_RESPONSE..." thingy is not a SSL Profile setting. Its an iRule and needs to be created on your LTM and then attached to your HTTPS Virtual Server (this iRule requires SSL and HTTP Profiles comfigured).

Cheers, Kai

0
placeholder+image

First, thanks to Kai for starting this thread and providing the info, excellent!

With the recent publication of ROBOT attach on the RSA cipher, I have added !RSA to my cipher profile and tested with no issues.
https://support.f5.com/csp/article/K21905460#proc1

IE8/WinXP are not a concern for my organization so I'm good with that browser not being able to access services.

I've seen this referenced before but have not seen a tested cipher list. Here's the list I'm using now. It's the same as last posted here but with the !RSA to disable RSA added.

!SSLv2:!EXPORT:!RSA:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:-MD5:-SSLv3:-RC4

0