uni
Mar 20, 2014Altostratus
Best practice for clientssl profiles
Can anyone recommend their preferred settings for clientssl profiles? What cipher string, options and other flags do you use?
I usually test mine using , but get at best an "A-".
Can anyone recommend their preferred settings for clientssl profiles? What cipher string, options and other flags do you use?
I usually test mine using , but get at best an "A-".
Hi, my settings are:
NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4+RSA:@SPEED
Good article about ciphers link
Just updated LTMs to 11.6.0 HF3, and that seems to automatically get you an A-. Seems Qualys SSL Labs wants you to emphasize Perfect Forward Secrecy, to get the full "A". After a lot of trial & error in a test SSL client profile (with default clientssl as parent), I managed to get an "A" by using this:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-CBC-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-CBC-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-DES-CBC3-SHA:AES128-SHA256:DES-CBC3-SHA:!SSLv3
The only other thing not default, was checking the "Strict Resume" box. The only browser that is incompatible is IE 6/XP.
I have yet to test this for any speed penalties (PFC is said to be slower).