Forum Discussion

swjo_264656's avatar
swjo_264656
Icon for Cirrostratus rankCirrostratus
Aug 23, 2017

Getting an awesome Qualys SSL-Labs rating

Hi guys

 

I have to work to get A or A+ grade by test SSL-Labs.

 

I`ve examine this Article but not clear.

 

https://devcentral.f5.com/questions/howto-getting-an-awesome-qualys-ssl-labs-rating-feb-2017-update-51489

 

Question 1. by adjusting ciphers

 

!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:-MD5:-SSLv3:-RC4

 

Win XP / IE8 user would be reject, is there any possible method using 3DES and get over A grade?

 

Question 2. regarding ECDH public server param reuse : Yes

 

It seems that there are two solutions. 1) Client SSL profile --> option list --> Single DH use

 

2) set i-Rule

 

when HTTP_RESPONSE { HTTP::header insert "Strict-Transport-Security" "max-age=15552000" }

 

which one is more effective to solve ECDH public server param reuse?

 

thank you.

 

application delivery
LTM

3 Replies

Sort By
  • swjo_264656's avatar
    swjo_264656
    Icon for Cirrostratus rankCirrostratus
    Aug 23, 2017

    Does i-Rule means insert cookie(Strict-Transport-Security) on HTTP header,

     

    Do I need to set the cookie value at random, or should I set it to that value?

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Aug 23, 2017

    Hi,

    All answers for your questions are on the Article you provide links and its comments.

    The irule insert HTTP header named 

    Strict-Transport-Security
    . this is not a cookie.

    In version 12.0 and above, this configuration can be done without irule in HTTP profile (create a new one assigned only on HTTPS virtual servers)

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Oct 16, 2017

    Hi Swjo,

     

    Win XP / IE8 user would be reject, is there any possible method using 3DES and get over A grade?

     

    The cipher string I've posted in the HowTo does NOT exclude every single DES cipher. It just disabled DHE+DES based ciphers, since F5 does not support DHE keys with appropiate key sizes.

     

    Windows XP / IE8 will be still supported if IE8 has turned on TLS1.0 / TLS1.1. You can see this by

     

    Question 2.

     

    ECDH resuse and setting HSTS headers are two seperate issues. ECDH resuse will make sure that you generate a fresh ECDH key pair for ever single SSL session and HSTS will make sure to mark you site as SSL-only so that clients will stop to send plaintext HTTP requests...

     

    Note: You should also set the "SSL Renegotiation Size" to "1 GB" to counter sweet32 attacks.

     

    Cheers, Kai