Cirrostratus
MVPHi Swjo,
Win XP / IE8 user would be reject, is there any possible method using 3DES and get over A grade?
The cipher string I've posted in the HowTo does NOT exclude every single DES cipher. It just disabled DHE+DES based ciphers, since F5 does not support DHE keys with appropiate key sizes.
Windows XP / IE8 will be still supported if IE8 has turned on TLS1.0 / TLS1.1. You can see this by
Question 2.
ECDH resuse and setting HSTS headers are two seperate issues. ECDH resuse will make sure that you generate a fresh ECDH key pair for ever single SSL session and HSTS will make sure to mark you site as SSL-only so that clients will stop to send plaintext HTTP requests...
Note: You should also set the "SSL Renegotiation Size" to "1 GB" to counter sweet32 attacks.
Cheers, Kai