SSLlabs.com test capped to B

Question

I am running 11.4.1 with HF9. My current SSL ciphers options are: !COMPAT:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA:ECDHE+3DES:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:3DES:!MD5:!EXPORT:!DES:!EDH:!SSLv3:!RC4:!TLSv1&nbsp;
Test for the certificate gives me B &nbsp;
This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. &nbsp;
From the tests to Diffie-Hellman implementation, I see:&nbsp;
Good News! This site uses a unique or infrequently used 1024-bit Diffie-Hellman group. You are likely safe, but it's still a good idea to generate a unique, 2048-bit group for the site. &nbsp;
Did anyone manage to get A/A+ on version 11.4.1?&nbsp;

hannes_rapp_162 · Accepted Answer

Both A and A+ are possible on 11.4.1. You're losing some score because of 1028 bit key, but also 128bit SSL ciphers reduce your score a little. In regards to key strength, you can't do much unless you're willing to renew the certificate immediately.
When the time comes, generate a new CSR based on a 4096 bit private key, and request a new certificate as your current one is coming closer to expiration. This is not urgent and can wait.&nbsp;
More information on SSL labs grading:&nbsp;
https://devcentral.f5.com/articles/security-sidebar-improving-your-ssl-labs-test-grade&nbsp;

rajesh_06_15705 · Answer

Here are nmap results for the certificate

Public Key type: rsa

| Public Key bits: 2048

| Signature Algorithm: sha256WithRSAEncryption

| Not valid before: 2015-08-24T00:00:00

| Not valid after:  2016-10-26T12:00:00

| MD5:   bc3f 8d7a bd1e c80d aea7 ed33 d984 bda5

|_SHA-1: 6a4f c348 93db 9664 d02c 7e27 d1f0 e76c f8ae c8c0

| ssl-enum-ciphers:

|   TLSv1.0:

|     ciphers:

|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ec 256) - A

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A

|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A

|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A

|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C

|     compressors:

|       NULL

|     cipher preference: server

|     warnings:

|       Key exchange parameters of lower strength than certificate key

|   TLSv1.1:

|     ciphers:

|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ec 256) - A

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A

|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A

|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A

|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

|     compressors:

|       NULL

|     cipher preference: server

|     warnings:

|       Key exchange parameters of lower strength than certificate key

|   TLSv1.2:

|     ciphers:

|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ec 256) - A

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A

|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A

|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A

|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A

|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A

|     compressors:

|       NULL

|     cipher preference: server

|     warnings:

|       Key exchange parameters of lower strength than certificate key

|_  least strength: C

rajesh_06_15705 · Answer

Here are nmap results for the certificate

Public Key type: rsa

| Public Key bits: 2048

| Signature Algorithm: sha256WithRSAEncryption

| Not valid before: 2015-08-24T00:00:00

| Not valid after:  2016-10-26T12:00:00

| MD5:   bc3f 8d7a bd1e c80d aea7 ed33 d984 bda5

|_SHA-1: 6a4f c348 93db 9664 d02c 7e27 d1f0 e76c f8ae c8c0

| ssl-enum-ciphers:

|   TLSv1.0:

|     ciphers:

|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ec 256) - A

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A

|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A

|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A

|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C

|     compressors:

|       NULL

|     cipher preference: server

|     warnings:

|       Key exchange parameters of lower strength than certificate key

|   TLSv1.1:

|     ciphers:

|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ec 256) - A

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A

|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A

|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A

|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

|     compressors:

|       NULL

|     cipher preference: server

|     warnings:

|       Key exchange parameters of lower strength than certificate key

|   TLSv1.2:

|     ciphers:

|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ec 256) - A

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A

|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A

|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A

|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A

|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A

|     compressors:

|       NULL

|     cipher preference: server

|     warnings:

|       Key exchange parameters of lower strength than certificate key

|_  least strength: C

rajesh_06_15705 · Answer

Made changes to ciphers to: !COMPAT:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA:ECDHE+3DES:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:3DES:!MD5:!EXPORT:!DES:!EDH:!SSLv3:!RC4:!TLSv1

This cipher set gave me A on ssllabs.com test

rajesh_06_15705 · Answer

Made changes to ciphers to: !COMPAT:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA:ECDHE+3DES:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:3DES:!MD5:!EXPORT:!DES:!EDH:!SSLv3:!RC4:!TLSv1

This cipher set gave me A on ssllabs.com test

Forum Discussion

SSLlabs.com test capped to B

6 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Blockchain security and CAP theorem

TESTING / ARTICLE SAVE - 002LEZ

Cap and not Cap uri

Khoros article scheduling test

DC failover test via GTM