Forum Discussion

janholtz's avatar
janholtz
Icon for Altostratus rankAltostratus
Jan 31, 2017

Optimal cipher string

So Just asking for some opinions here, this is my current optimal cipher string:

 

!SSLv3:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-AES128-CBC-SHA

 

I basically suggest lopping off ciphers from the right, until client apps stop working, and then add the last one back. Also I guess disable renogiation and enable strict transport security in the HTTP profile.

 

Does this seem reasonable? What else can be suggested?

 

//Jan

 

APM
application delivery
LTM
security

1 Reply

Sort By
  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    Jan 31, 2017

    I would say on newer versions, 11.5 and later, the 

    DEFAULT
    cipher sets are already pretty good. Rarely have a reason to modify them anymore. Your current cipher is OK, but I don't like the length of its configuration. Maybe you can achieve the same outcome with less options? Give a try with 
    tmm --clientciphers 'DEFAULT:!exclusions'
    (in Bash) to see if the same outcome can be achieved with less.

    In regards to enabling HSTS, it's a yes-go. In regards to (TLS/SSL?) renegotiation, can't give a definitive answer that would apply for 95% or more cases. If asked for my opinion, I'd say that in relation to TLS/SSL security or performance, the renegotiation setting doesn't change that much, but depending on your configuration, you can be susceptible to more DDOS attack vectors. My approach with this setting is to do what's best from anti-DDOS perspective. Some people have a different approach.

    Article on the setting: https://devcentral.f5.com/articles/ssl-profiles-part-6-ssl-renegotiation