Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

HowTo: Getting an awesome Qualys SSL-Labs rating... (Feb 2017 Update)

Hi Folks,

I've posted in August 2016 a Client SSL Profile configuration to achive a top notch Qualys SSL-Labs rating.

HowTo: Getting an awesome Qualys SSL-Labs rating...

https://devcentral.f5.com/questions/howto-getting-an-awesome-qualys-ssl-labs-rating-48120

In the meantime the Qualys SSL-Labs has decided to put very soon a penalty on those web sites, which are still supporting DES / IDEA algorythms via TLS1.2 (aka. every block cipher with a block size of less or equal 64-bit) .

Penalty for using 3DES with TLS 1.2 (C)

In late August, security researchers demonstrated an attack against ciphers that use 64-bit encryption blocks. The attack has been called Sweet32. The attack is not practical because it requires a very large amount of traffic, but it’s a good reminder that older and weaker ciphers need be retired as a matter of routine. In TLS, that means avoiding 3DES (EDIT 27 Jan: and other ciphers that use 64-bit blocks, for example IDEA). Now, for sites that need to support an old user base completely retiring 3DES might not be possible (hint: Windows XP), but there’s no reason to use this cipher with modern browsers. To that end, we’ll be modifying our grading criteria to penalise sites that negotiate 3DES with TLS 1.2. Such sites will have their scores capped at C. We are aware that most servers don’t allow per-protocol cipher suite configuration, but that shouldn’t be a problem in this case. Sites that negotiate strong cipher suites with modern clients will not be affected if they support 3DES, provided they keep it at the end of their ordered list of suites." -Quallys SSL Labs (see Link)

The result of the announced rating changes is currently just a little warning message which states that the grade will be caped to C very soon:

Image Text

To maintain your awesome A / A+ grade in the future, you have to change your supported cipher suites once again, so that every DES based algorythm gets either completely removed (this may have a compatibility impact) or at least gets placed at the very buttom of the Cipher Suite list.

Previous Chipher-List (for v11 and v12):

!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:-MD5:-SSLv3:-RC4:@STRENGTH

Updated Chipher-List (for v11 and v12):

!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:-MD5:-SSLv3:-RC4

After applying the updated Chipher-List, you'll receive a clean A or even A+ (depending on HSTS configurations) rating again, while still supporting those Windows XP/IE8 or other legacy clients:

Image Text

Cheers, Kai

Additional search tags for the lovely Google bot:

Preventing Logjam Attack

Preventing Sweet32 Attack

Default SSL Profile is a little bit insecure

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits FS WEAK 128 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 1024 bits FS WEAK 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits FS WEAK 256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits FS WEAK 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits FS WEAK 128 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 1024 bits FS WEAK 112

6
Rate this Question
Comments on this Question
Comment made 07-Feb-2017 by Kai Wilke 6554

Hi Folks,

If you additional want to eleminate the ECDH public server param reuse : Yes warnign message...

Image Text

... then enable the "Single DH use" option within the Client SSL Profile.

Image Text

Cheers, Kai

3
Comment made 07-Feb-2017 by nathan 7305

Good work Kai

0
Comment made 07-Feb-2017 by Kees van den Bos | kees4IP 679

Thanx Kai!!!

0
Comment made 08-Feb-2017 by Kai Wilke 6554

You're welcome ;-)

Cheers, Kai

0
Comment made 08-Feb-2017 by Sebastian Maniak 262

thank you

0
Comment made 16-Feb-2017 by G.Ring 1

Kai,

Thanks...found this to be very useful in improving site security. One question though...

Per F5 (https://support.f5.com/csp/article/K13167034), in order to mitigate Sweet23 (CVE2016-2183) you need to disable all DES-CBC3 ciphers in the SSL Profile (or set the renegotiation size to 1GB). While the above Cipher list does allow for an A/A+ rating from SSL Labs, when I ran vulnerablity scans against an ssl profile with the exact cipher list above, the site was still showing vulnerable to Sweet32. I modified the Cipher list to remove any remaining DES-CBC3 ciphers and scans then came back as not-vulnerable to Sweet32.

Here's my Cipher-list after I took into account the F5 recommendation to remove all DES-CBC3:

!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-ECDSA-DES-CBC3-SHA:!ADH-DES-CBC3-SHA:!ECDH-RSA-DES-CBC3-SHA:!ECDH-ECDSA-DES-CBC3-SHA:!DES-CBC3-SHA:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:-MD5:-SSLv3:-RC4

For readability, here's the diff in what I added to the Cipher List:

!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-ECDSA-DES-CBC3-SHA:!DHE-RSA-DES-CBC3-SHA:!ADH-DES-CBC3-SHA:!ECDH-RSA-DES-CBC3-SHA:!ECDH-ECDSA-DES-CBC3-SHA:!DES-CBC3-SHA

Your thoughts?

0
Comment made 19-Feb-2017 by Kai Wilke 6554

Hi G.Ring,

removing DES completely from the cipher list, will have certain compability impact. If you drop DES ciphers you'll also drop any WinXP/IE8 and other legacy browser which won't support AES.

By setting DES cipher to the very buttom of the list, you'll make sure that every modern browser (the majority at these day) will be still protected against the Sweet23 attack. Only legacy browser may become a victim of Sweet23 then, but becomming a victim of an attack will be still very unlikely since the Sweet23 attack requires a very large amount of sniffed network traffic.

But thanks for pointing out, that the official F5 recommendation is to limit the the Renegotiation Size setting to 1 GB, so that no one can collect enought data from the same SSL session to pull off any birthday calculations.

Your thoughts?

Remove DES completely if compatibility isn't a concern, or move DES to the buttom of your cipher list while enforcing Renegotiation Size limits of 1 GB. ;-)

Cheers, Kai

0
Comment made 26-Apr-2017 by Seth Randall 0

We tend to disable 3DES unless we have a system that absolutely needs it. We usual work with them to upgrade if we can. The ciphers we've been using are:

!SSLv2:!EXPORT:!DHE:!3DES:RSA+AES-GCM:RSA+AES:ECDHE+AES-GCM:ECDHE+AES:!MD5:!SSLv3:!RC4

For easy of entry, you can deny all DHE and all 3DES by just using !DHE and !3DES instead of specifying each one. At least you can on 11.6.0.

0
Comment made 28-Apr-2017 by magnus78 88

Seth: better to use ECDHE before RSA.

!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:-MD5:-SSLv3:-RC4:!3DES This give A+, without 3DES support.

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thanks, looks really good!

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

If you are using version 10, you can still get an A- grade without disabling 3DES (so that IE8/XP browsers can still connect). This option is better than DEFAULT:!RC4:!SSLv3 because it prefers to use the 256 bit encryption and drops lower if the client doesn't support it.

Chipher-List (for v10):

!SSLv3:RSA+AES256-SHA256:RSA+AES256-SHA:RSA+AES128-SHA256:RSA+AES128-SHA:RSA+AES128-SHA:RSA+3DES

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Good stuff Kai!

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Has anyone seen any end user/application issues disabling the DHE ciphers?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Kai,

Is this a good place to discuss which of these have hardware offload support on the F5 platforms? I am just wondering as its very relevant to performance considerations for our customers. Just let me know if you think its relevant enough to be part of this discussion.

0
Comments on this Answer
Comment made 23-Oct-2017 by Kai Wilke 6554

Hi Kevin,

because of many different TMOS software releases and hardware plattforms available it may become a huge discussion. But yeah... it may be a good thing to also discuss the Security/Performance ratio of certain cipher suites.

K13213 [click me] should be a good starting point for this discussion, isn't it?

Note: I'm running an old 8950th unit with approximately 3 billion request per day (~75% is SSL). So I'm very happy to discuss performance releated SSL optimizations for those devices with outdated Cavium SSL accelerator cards...

Cheers, Kai

0
Comment made 23-Oct-2017 by Kevin Davies 3013

That was the exact article I was going to refer if you said we can discuss... specifically

"The SSL processing capacity has been found to improve when the Elliptic Curve Digital Signature Algorithm (ECDSA) and Elliptic Curve Diffie-Hellman (ECDH) algorithms are processed in software for these BIG-IP platforms. Hence, the ECDSA and ECDH algorithms no longer use hardware acceleration"

Why are these more efficient in software rather than hardware offload? Are they computationally more compatible with the inbuilt processing or just use far less resources. Maybe its just a roundabout way of saying we don't support this on a hardware level?

What does going to software do to SSL TPS capacity of the F5? Eg what are the SSL TPS rates for ECDH prior to the brand spanking new iSeries. The comments on this Devcentral article are actually quite informative -- Making the Case for ECC

0
Comment made 23-Oct-2017 by Kai Wilke 6554

Hi Kevin,

"The SSL processing capacity has been found to improve when the Elliptic Curve Digital Signature Algorithm (ECDSA) and Elliptic Curve Diffie-Hellman (ECDH) algorithms are processed in software for these BIG-IP platforms. Hence, the ECDSA and ECDH algorithms no longer use hardware acceleration"

Why are these more efficient in software rather than hardware offload?

Well, a good software support seems to be more efficient than having a poor hardware support for those relatively modern algorythm on relatively old hardware. The iSeries has more recent Cavium cards included and seems to have a way better / more performant hardware support for ECDSA and ECDH algorithms. In this case those ciphers will be fully offloaded on hardware to save CPU cycles.

What does going to software do to SSL TPS capacity of the F5? Eg what are the SSL TPS rates for ECDH prior to the brand spanking new iSeries. The comments on this Devcentral article are actually quite informative

A while ago we had a support request opened to drill down the SSL/TPS performance of those Virtual Edition compared to 8950th and the iSeries and also asked for assitance to configure high performance SSL profiles. F5 has shown us some internal performance test numbers which where in the end not very usable for us (they where too synthetic) so we ended up in testing several different cipher suites over night (at night we have just ~5000 SSL-TPS) and manually figured out the most performant configuration for our setup while still maintaining a resonable security level (Qualys A- Rating) and also down level support (full WinXP/IE8 support).

The cipher suite string used for the high-traffic sites hosted on our 8950th plattform is:

!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:RSA+AES:RSA+AES-GCM:RSA+3DES:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:-MD5:-SSLv3:-RC4

Cheers, Kai

0
Comment made 23-Jan-2018 by Chase Abbott

Don't forget Cipher rules and groups if this stuff gets confusing for some. :-)

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi all,

Thank you very much Kai for this, really appreciate it.

Now with this new vulnerability K21905460: BIG-IP SSL vulnerability CVE-2017-6168 I suppose we will have to remove the RSA key exchange from the cipher list? https://support.f5.com/csp/article/K21905460

New list:

!SSLv2:!RSA:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:-MD5:-SSLv3:-RC4

What are your thoughts?

Regards,

0
Comments on this Answer
Comment made 20-Nov-2017 by magnus78 88

Your says some weak chipers on SSL Labs. You can use this one: !SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:ECDHE+AES-GCM:ECDHE+AES:-MD5:-SSLv3:-RC4:!3DES:!RSA

0
Comment made 20-Nov-2017 by Kai Wilke 6554

Hi kchiotak,

thank you very much for bringing this up to our attention.

The Bleichenbacher attack is somewhat difficult to pulloff and most likely not exploitable outside of lab environments. If you have to close this security hole because of compliance reasons or if you just want to have this security hole closed, then use the cipher string you have posted.

But keep in mind that this change will ban any legacy client without ECDHE suppport (like WinXP/IE8)!

(at) magnus78

kchiotak's and your cipher string provides almost the same level of security. The only difference is that kchiotak's string includes DES based algorythms with a least priority (most likely never negotiated) and yours is banning DES based algorythms completely. But both are sucessfully banning any RSA based ciphersuites...

FYI: The shortcut to your cipher string would be just 'ECDHE+AES-GCM:ECDHE+AES'

Cheers, Kai

0
Comment made 20-Nov-2017 by bluestar007 66

Hi,

The final string is the below one ?

'DEFAULT:!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:-MD5:-SSLv3:-RC4'

Thanks

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hey Kai. This is fantastic stuff. I don't know anything about making even the slightest tweak to these. Could you assist with the string I would need for TLS 1.1 and 1.2 ciphers only, with no 3DES and RSA key exchanges at the bottom of my list?

0
Comments on this Answer
Comment made 24-Jan-2018 by Kai Wilke 6554

Hi SFiddy,

I'm about to release an updated version of this posting to cover upcomming SSL Labs and PCI DSS requirements (will come in June 2018) and to cover also mixed RSA / ECDSA certificate support. So stay for the updated posting...

To answer your question in the mean time:

Banning 3DES is not really nessesary at this time, if you renegotiate your SSL session every 1Gbyte (to counter sweet32 attacks), but you can if you don't require support for very old legacy user agents.

Banning support for TLSv1.0 is also not really nessesary at this time, but you can if you don't require support for legacy user agents.

I've never banned every RSA ciphersuite before and I honestly belive its currently not required and also practiable to do so!?!

Below is a set of cipher strings I'm currently working on and once stable enough they will be included in my updated posting:

Quallys SSL Labs A+ Rating with full downlevel support (aka. TLS1.0, TLS1.1, TLS1.2 protocols with RSA and ECDSA-ciphersuites enabled and mixed 112/128/256 encryption :

[itacs@ahk-f501:Active:Standalone] ~ # tmm --clientcipher 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-CBC-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-CBC-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:DES-CBC3-SHA:-SSLv3:-DTLSv1'
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_ECDSA
 1: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA 
 2: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES       SHA384  ECDHE_ECDSA
 3: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA 
 4: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1    Native  AES       SHA     ECDHE_ECDSA
 5: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.1  Native  AES       SHA     ECDHE_ECDSA
 6: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
 7: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES       SHA     ECDHE_RSA 
 8: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES       SHA     ECDHE_RSA 
 9: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA 
10: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_ECDSA
11: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA 
12: 49187  ECDHE-ECDSA-AES128-SHA256        128  TLS1.2  Native  AES       SHA256  ECDHE_ECDSA
13: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA 
14: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1    Native  AES       SHA     ECDHE_ECDSA
15: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.1  Native  AES       SHA     ECDHE_ECDSA
16: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
17: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES       SHA     ECDHE_RSA 
18: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES       SHA     ECDHE_RSA 
19: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES       SHA     ECDHE_RSA 
20:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA       
21:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM   SHA256  RSA       
22:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA       
23:    53  AES256-SHA                       256  TLS1    Native  AES       SHA     RSA       
24:    53  AES256-SHA                       256  TLS1.1  Native  AES       SHA     RSA       
25:    53  AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA       
26:    60  AES128-SHA256                    128  TLS1.2  Native  AES       SHA256  RSA       
27:    47  AES128-SHA                       128  TLS1    Native  AES       SHA     RSA       
28:    47  AES128-SHA                       128  TLS1.1  Native  AES       SHA     RSA       
29:    47  AES128-SHA                       128  TLS1.2  Native  AES       SHA     RSA       
30:    10  DES-CBC3-SHA                     168  TLS1    Native  DES       SHA     RSA       
31:    10  DES-CBC3-SHA                     168  TLS1.1  Native  DES       SHA     RSA       
32:    10  DES-CBC3-SHA                     168  TLS1.2  Native  DES       SHA     RSA       
[itacs@ahk-f501:Active:Standalone] ~ # 

Quallys SSL Labs A+ Rating with moderate downlevel support (aka. TLS1.1, TLS1.2 protocols with RSA and ECDSA-ciphersuites enabled and mixed 128/256 encryption):

[itacs@ahk-f501:Active:Standalone] ~ # tmm --clientcipher 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-CBC-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-CBC-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:-SSLv3:-TLSv1:-DTLSv1'
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_ECDSA
 1: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA 
 2: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES       SHA384  ECDHE_ECDSA
 3: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA 
 4: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.1  Native  AES       SHA     ECDHE_ECDSA
 5: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
 6: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES       SHA     ECDHE_RSA 
 7: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA 
 8: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_ECDSA
 9: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA 
10: 49187  ECDHE-ECDSA-AES128-SHA256        128  TLS1.2  Native  AES       SHA256  ECDHE_ECDSA
11: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA 
12: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.1  Native  AES       SHA     ECDHE_ECDSA
13: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
14: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES       SHA     ECDHE_RSA 
15: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES       SHA     ECDHE_RSA 
16:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA       
17:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM   SHA256  RSA       
18:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA       
19:    53  AES256-SHA                       256  TLS1.1  Native  AES       SHA     RSA       
20:    53  AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA       
21:    60  AES128-SHA256                    128  TLS1.2  Native  AES       SHA256  RSA       
22:    47  AES128-SHA                       128  TLS1.1  Native  AES       SHA     RSA       
23:    47  AES128-SHA                       128  TLS1.2  Native  AES       SHA     RSA       
[itacs@ahk-f501:Active:Standalone] ~ # 

Quallys SSL Labs A+ Rating with little downlevel support (aka. TLS1.1, TLS1.2 protocols with RSA and ECDSA-ciphersuites enabled and pure 256 encryption):

itacs@ahk-f501:Active:Standalone] ~ # tmm --clientcipher 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-CBC-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:-SSLv3:-TLSv1:-DTLSv1'
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_ECDSA
 1: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA 
 2: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES       SHA384  ECDHE_ECDSA
 3: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA 
 4: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.1  Native  AES       SHA     ECDHE_ECDSA
 5: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
 6: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES       SHA     ECDHE_RSA 
 7: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA 
 8:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA       
 9:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA       
10:    53  AES256-SHA                       256  TLS1.1  Native  AES       SHA     RSA       
11:    53  AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA       
[itacs@ahk-f501:Active:Standalone] ~ # 

Quallys SSL Labs A+ Rating without downlevel support (aka. TLS1.1, TLS1.2 protocols with only ECDSA-ciphersuites enabled with mixed 128/256 encryption):

[itacs@ahk-f501:Active:Standalone] ~ # tmm --clientcipher 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:-SSLv3:-TLSv1:-DTLSv1'
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_ECDSA
 1: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES       SHA384  ECDHE_ECDSA
 2: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.1  Native  AES       SHA     ECDHE_ECDSA
 3: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
 4: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_ECDSA
 5: 49187  ECDHE-ECDSA-AES128-SHA256        128  TLS1.2  Native  AES       SHA256  ECDHE_ECDSA
 6: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.1  Native  AES       SHA     ECDHE_ECDSA
 7: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
[itacs@ahk-f501:Active:Standalone] ~ # 

Quallys SSL Labs A+ Rating without downlevel support (aka. TLS1.1, TLS1.2 protocols with only ECDSA-ciphersuites enabled and pure 256 encryption):

[itacs@ahk-f501:Active:Standalone] ~ # tmm --clientcipher 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:-SSLv3:-TLSv1:-DTLSv1'
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_ECDSA
 1: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES       SHA384  ECDHE_ECDSA
 2: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.1  Native  AES       SHA     ECDHE_ECDSA
 3: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
[itacs@ahk-f501:Active:Standalone] ~ # 

Cheers, Kai

1
Comment made 24-Jan-2018 by SFiddy 17

This is AMAZING, thank you!!

0
Comment made 24-Jan-2018 by Kai Wilke 6554

You're pretty much welcome. Let me know if you need some extra clarification or assistance... ;-)

Cheers, Kai

0
Comment made 30-Jan-2018 by Harry 417

Hi Kai,

As of today, what would be the best Ciphers suite which will give A+ from SSL-Labs? can i consider below one? I have taken all three from this thread only.

i am using v13.0.0 with HF3

!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:-MD5:-SSLv3:-RC4:!3DES

!SSLv2:!EXPORT:!DHE:!3DES:RSA+AES-GCM:RSA+AES:ECDHE+AES-GCM:ECDHE+AES:!MD5:!SSLv3:!RC4

!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:-MD5:-SSLv3:-RC4

0
Comment made 30-Jan-2018 by Kai Wilke 6554

Hi Harry,

depends what exactly means "best" for you? Choosing the right cipher suite is basically a pendulum between "Security" and "Compatibility"...

The most balanced cipher string is in my opinion this one...

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-CBC-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-CBC-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:DES-CBC3-SHA:-SSLv3:-DTLSv1

The chipher string has support for all modern ciphers (in a prefered order) but its compatible down to WinXP/IE8 and achives a A+ rating in combination with HSTS settings.

Note: The cipher string above still uses DES algorythms for legacy browser. Because of this you have to tweak your Client_SSL_Profile so that you renegotiate the SSL session every 1024Mbyte transfered data to counter Sweet32 attacks.

If you don't care about old browsers, then this one is also a good balance...

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-CBC-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-CBC-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:-SSLv3:-TLSv1:-DTLSv1

Cheers, Kai

0
Comment made 31-Jan-2018 by Harry 417

Thanks Kai. i got A Grade with first one.

0
Comment made 13-Feb-2018 by The-messenger 355

I posted to the older thread, here's my update. First, thanks to Kai for starting this thread and providing the info, excellent!

With the recent publication of ROBOT attach on the RSA cipher, I have added !RSA to my cipher profile and tested with no issues. https://support.f5.com/csp/article/K21905460#proc1

What is the stand on TLS 1.3

0
Comment made 13-Feb-2018 by Kris @ VirginAustralia 145

I'm running 11.6.3 and enabling "single DH use" does not remove the warning about "ECDH public server param reuse"

edit: I take that back, it does work but it seemed to take a while or wasn't picked up by SSLlab's additional scans.

1
Comment made 19-Apr-2018 by LA Medina 120

Hi Kai,

I was looking for 'fix' for this particular issue and i found this thread that you posted. :)

https://support.f5.com/csp/article/K13400#config_p1

as we were recently been flagged out by the recent pen test. Our client basically just want to disable the TLSv1 as per F5 recommendation.

SSL is not really my strong suit. :) And based from what i have read, i understand that i just need to change the clientssl profile configuration and enable TLSv1_2 but im not really sure whether that is all the cipher that i need to enable or all that i need to do to achieve that? How about the ciphersuite for restricting the configuration utility to use only TLSv1.2?

Basically, i just need to know what would be the best cipher suit for this? :) we are currently running 12.1.2 HF1.

Btw, we currently only have 2 VS that is using the SSL profile and it is using the default clientssl and server profile.

Here is our current Cipher suite: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA

0
Comment made 22-Apr-2018 by dariusz 54

Hello, I read this article and add one option on the end - reduce week Cipher Suites. I hope that this combination it's ok - Please check new combination. Br. Darek

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-CBC-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-CBC-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:-SSLv3:-TLSv1:-DTLSv1:!RSA

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello, I am using v11.6.2HF1 am just looking for thoughts and/or opinions. 1. I have 2 client SSL profiles with their current cipher strings set to: DEFAULT:@STRENGTH:!EXP:!EXPORT:!DHE. In order to disable TLS v1.0, I will modify both cipher strings to read: DEFAULT:@STRENGTH:!EXP:!EXPORT:!DHE:!TLSv1:!SSL:!SSLv2:!SSLv3

  1. I am also looking to enable PFS, using a string I saw posted by David Holmes, which is: ECDHE+HIGH:HIGH since Qualys Labs changed their grading practice. Any thoughts if this string will improve the Qualys rating? Thanks for any thoughts or comments.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

simply adding :@Speed the current ciphers DEFAULT:!DHE:!3DES:!TLSv1 upgrades a 'B' score to an 'A' ... am I missing something ... this appears too simple

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Using the below Cipher Suite but still seeing the rating as "B". Any help would be highly appreciated.

Here is the CIpher :

!SSLv2:!EXPORT:!DHE:!3DES:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:!RSA+3DES:-MD5:-SSLv3:-RC4:

SSL LAB Output : Rating B

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits FS WEAK 128 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits FS WEAK 256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits FS WEAK 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits FS WEAK 128 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits FS WEAK 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 1024 bits FS WEAK 256 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 1024 bits FS WEAK 112 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 112

Forward Secrecy Weak key exchange WEAK DH public server param (Ys) reuse Yes ECDH public server param reuse Yes

0