F5 SSL Labs A+

Update: 09/10/2018

SSLLabs have changed its requirements for cipher suites. The new cipher string is:

!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:-MD5:-SSLv3:-RC4

So I’m going to make a how to about something I’m not sure I agree with, but because it seems to be a big hit nowadays, I’ll do it anyway. Qualys’ SSL labs website. I love to be secure, and I want everybody to be secure on the website. The aggregate amount of lost time and problems people have due to unencrypted information must be enormous, but I get a bit annoyed with how the SSL labs website is now dictating how we do our security /End soapbox.

Without further ado, my guide to an F5 SSL Labs A+ grade. SSL Labs is now hating on PFS DHE keys, and preferring ECDHE keys.

Check your F5 version’s DEFAULT cipher string here. Now switch out whatever the flavor of the month is for SSL Labs.

As of July 24, 2015, here it is for v.11.6HF5:

ciphers !LOW:!SSLv3:!MD5:!RC4-SHA:!EXPORT:ECDHE+AES-GCM:ECDHE+AES:ECDHE-RSA-DES-CBC3-SHA:AES-GCM+RSA:RSA+AES:RSA+3DES

Basically I’ve pulled the standard Diffie-Hellman ciphers out, and replaced them with the Elliptic Curve Diffie-Hellman ciphers.

As you can imagine, I’m not entirely thrilled with getting rated A+ or F, I would prefer to have a list of reasons how I could improve security and why Qualys thinks something is terrible, instead of getting yelled at for not being an A+, so if I see that I’m not A+, let me know and I’ll get the new cipher string!

-Anni

 

2 Replies to “F5 SSL Labs A+”

  1. Is it just the cipher string that needs changing on an F5?
    We needed to enable HSTS as well on our appliance, or is that default on an F5?

    Frustrating isn’t it? when a customer tells you your installation is insecure – when you know it’s not. And demands that you get them an A+ … but don’t want to turn on HSTS – because that would break their application :-).

    https://www.loadbalancer.org/blog/stunnel-cipher-list-and-qualys-ssl-labs-testing/

  2. You are correct, Sir.

    We’ve had HSTS on our site for so long, we didn’t even think about it. In 13.1 at least, the HSTS setting can be turned on in the HTTP profile, so for the client SSL profile, just the cipher string looks to be good enough.

    After the cipher’s are changed, enable HSTS in the HTTP profile with the default settings and you have enough for the A+. Good catch, and great site and background on ciphers for Qualys on that post!

Leave a Reply

Your email address will not be published. Required fields are marked *