The CIPHER I am using is DEFAULT:!SSLv3:!RC4 to get a A-.
Which CIPHER settings should I use to add PFS and achieve a A+.
i think DHE is included in 11.2.1 but it is not included in default cipher. can you try 'DHE:!SSLv3'?
[root@B4200-R77-S7:Active:Standalone] config tmsh show sys version | head
Sys::Version
Main Package
Product BIG-IP
Version 11.2.1
Build 1306.0
Edition Hotfix HF13
Date Wed Dec 3 15:05:53 PST 2014
[root@B4200-R77-S7:Active:Standalone] config tmm --clientcipher 'DEFAULT:!SSLv3:!RC4'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 47 AES128-SHA 128 TLS1 Native AES SHA RSA
1: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA
2: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA
3: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA
4: 53 AES256-SHA 256 TLS1 Native AES SHA RSA
5: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA
6: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA
7: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA
8: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA
9: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA
10: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA
11: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA
12: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA
13: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA
[root@B4200-R77-S7:Active:Standalone] config
[root@B4200-R77-S7:Active:Standalone] config tmm --clientcipher 'DHE:!SSLv3'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA
1: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA
2: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA
3: 51 DHE-RSA-AES128-SHA 128 DTLS1 Native AES SHA EDH/RSA
4: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA
5: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA
6: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA
7: 57 DHE-RSA-AES256-SHA 256 DTLS1 Native AES SHA EDH/RSA
8: 21 DHE-RSA-DES-CBC-SHA 64 TLS1 Native DES SHA EDH/RSA
9: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.1 Native DES SHA EDH/RSA
10: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.2 Native DES SHA EDH/RSA
11: 21 DHE-RSA-DES-CBC-SHA 64 DTLS1 Native DES SHA EDH/RSA
12: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA EDH/RSA
13: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA EDH/RSA
14: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA EDH/RSA
15: 22 DHE-RSA-DES-CBC3-SHA 192 DTLS1 Native DES SHA EDH/RSA