Forum Discussion

uni's avatar
uni
Icon for Altostratus rankAltostratus
Mar 20, 2014

Best practice for clientssl profiles

Can anyone recommend their preferred settings for clientssl profiles? What cipher string, options and other flags do you use?

 

I usually test mine using , but get at best an "A-".

 

3 Replies

    • uni's avatar
      uni
      Icon for Altostratus rankAltostratus
      Most of those are not needed. The defaults ciphers (11.4 and & 11.5) are tighter that than now I think. I was more interested in the other clientssl profile settings anyway.
  • Just updated LTMs to 11.6.0 HF3, and that seems to automatically get you an A-. Seems Qualys SSL Labs wants you to emphasize Perfect Forward Secrecy, to get the full "A". After a lot of trial & error in a test SSL client profile (with default clientssl as parent), I managed to get an "A" by using this:

     

    ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-CBC-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-CBC-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-DES-CBC3-SHA:AES128-SHA256:DES-CBC3-SHA:!SSLv3

     

    The only other thing not default, was checking the "Strict Resume" box. The only browser that is incompatible is IE 6/XP.

     

    I have yet to test this for any speed penalties (PFC is said to be slower).