SSLLabs have changed its requirements for cipher suites. The new cipher string is:
So I’m going to make a how to about something I’m not sure I agree with, but because it seems to be a big hit nowadays, I’ll do it anyway. Qualys’ SSL labs website. I love to be secure, and I want everybody to be secure on the website. The aggregate amount of lost time and problems people have due to unencrypted information must be enormous, but I get a bit annoyed with how the SSL labs website is now dictating how we do our security /End soapbox.
Without further ado, my guide to an F5 SSL Labs A+ grade. SSL Labs is now hating on PFS DHE keys, and preferring ECDHE keys.
Check your F5 version’s DEFAULT cipher string here. Now switch out whatever the flavor of the month is for SSL Labs.
As of July 24, 2015, here it is for v.11.6HF5:
Basically I’ve pulled the standard Diffie-Hellman ciphers out, and replaced them with the Elliptic Curve Diffie-Hellman ciphers.
As you can imagine, I’m not entirely thrilled with getting rated A+ or F, I would prefer to have a list of reasons how I could improve security and why Qualys thinks something is terrible, instead of getting yelled at for not being an A+, so if I see that I’m not A+, let me know and I’ll get the new cipher string!