Forum Discussion

danmustlearn's avatar
danmustlearn
Icon for Nimbostratus rankNimbostratus
Jun 22, 2022

SSLlabs strong ciphers only with tls 1.2 running

Hopefully this saves someone else a few hours of searching trying and reconfiguring the F5 Cipher Suites to get an "A" and only use strong ciphers with only tls 1.2 with ssllabs.com.  F5's implementation of cipher suites and chosing which to use could be greatly improved for ease of use.

I was able to achieve an "A" on SSLlabs.com with Strong Ciphers Only by doing the following:

Note- with having only these 2 ciphers selected older versions of Internet Explorer 11 on Win 7, Win8.1, Win Phone 8.1, and Safari 6, 7, 8 cause handshake_failures. 

First create the rule:

Under Local Traffic > Ciphers: Rules > Create

Under Rule Creation>  Give it a RULENAME

To the right of Cipher Suites:

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384

Second the group:

Under Local Traffic > Ciphers: Groups > then Create

Give the group a GROUPNAME, then on the right under Available Rules select the RULENAME you created and click << box and then click finish.

Third - assign the group to an ssl profile:

Under Local Traffic > Profiles> SSL> Client> Select your exisitng SSL Client, Ie EXAMPLE.

Once within the profile click the drop down to the right of Configuration: to show Advanced.

Make sure your Ciphers has a check in the box on the right.  Click the drop down next to ciphers and select the GROUPNAME you created and then click Update at the bottom.

----

We were also able to achieve an "A" but with weak cipher suites showing on SSLlabs.com .

We were using for our cipher suites:

!NONE:!EXPORT:!DHE+AES-GCM:!DHE+AES:ECDHE+AES-GCM:ECDHE+AES:!RSA+AES-GCM:!RSA+AES:-MD5:-SSLv3:-RC4:!3DES:!TLSv1:!TLSv1_1:TLSv1_3

  • Thank you for your work. Why should you accept old clients such as IE11 with Win7 or old Safari? We have TLS1.2 with only those two chipers enabled and get A+ Rating on SSLLABs. Im woundering why you only get A rating? 

    • Alexandre's avatar
      Alexandre
      Icon for Altocumulus rankAltocumulus

      Moving A to A+ is usually about activating HSTS (HTTP profil)