Forum Discussion

AK_164512's avatar
AK_164512
Icon for Nimbostratus rankNimbostratus
Apr 20, 2018

Cipher combination to get an A/A-/A+ on SSLlabs

Hi all, whats the best cipher combination to get an A/A-/A+ on SSLlabs. I am using 12.1.0 HF2.

SSLlabs reports bad on weak Diffie-Hellman (DH) key exchange parameters and the server does not support Forward Secrecy with the reference browsers

below are the defaults on the F5 at the moment

   ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX

0: 159 DHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 EDH/RSA

1: 158 DHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 EDH/RSA

2: 107 DHE-RSA-AES256-SHA256 256 TLS1.2 Native AES SHA256 EDH/RSA

3: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA

4: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA

5: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA

6: 57 DHE-RSA-AES256-SHA 256 DTLS1 Native AES SHA EDH/RSA

7: 103 DHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 EDH/RSA

8: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA

9: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA

10: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA

11: 51 DHE-RSA-AES128-SHA 128 DTLS1 Native AES SHA EDH/RSA

12: 22 DHE-RSA-DES-CBC3-SHA 168 TLS1 Native DES SHA EDH/RSA

13: 22 DHE-RSA-DES-CBC3-SHA 168 TLS1.1 Native DES SHA EDH/RSA

14: 22 DHE-RSA-DES-CBC3-SHA 168 TLS1.2 Native DES SHA EDH/RSA

15: 22 DHE-RSA-DES-CBC3-SHA 168 DTLS1 Native DES SHA EDH/RSA

16: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA

17: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA

18: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA

19: 53 AES256-SHA 256 TLS1 Native AES SHA RSA

20: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA

21: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA

22: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA

23: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA

24: 47 AES128-SHA 128 TLS1 Native AES SHA RSA

25: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA

26: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA

27: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA

28: 10 DES-CBC3-SHA 168 TLS1 Native DES SHA RSA

29: 10 DES-CBC3-SHA 168 TLS1.1 Native DES SHA RSA

30: 10 DES-CBC3-SHA 168 TLS1.2 Native DES SHA RSA

31: 10 DES-CBC3-SHA 168 DTLS1 Native DES SHA RSA

32: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 33: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 34: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 35: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 36: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 37: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 38: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 39: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 40: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 41: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 42: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1 Native DES SHA ECDHE_RSA 43: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.1 Native DES SHA ECDHE_RSA 44: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.2 Native DES SHA ECDHE_RSA

Any suggestions?