Home Tech Networks Fixing SSL Labs Grade on F5 Big-IP – Weak Cipher Suites

Fixing SSL Labs Grade on F5 Big-IP – Weak Cipher Suites

By on ( 8 )

f5-networks-logo

Today we’ll take a look at fixing the error that kept us from getting a grade better than B last time.

Last time we were left with this test result:

SSL_errors2

“This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.”

This is a error pertaining to how the F5 suggests cipher suites to the client, and particularly, in what order. Sadly, this is a bit of a whack-a-mole, from time to time Qualys updates what they consider to be secure cipher suites, and then you need to go in and update your cipher lists. Usually, this happens once or twice a year. The problem is, that you can’t really just plainly disable all the older ciphers, as newer ones aren’t supported by older clients, so you need to disable the really old and horrible ciphers, while reordering them to always try the best ciphers first, and then falling back upon the less preferable ones until you find the best cipher that the client will support.

Luckily Mr. Kai Wilke of F5 has posted a short how-to on what cipher list to use, as well as an updated one when Qualys changed some things around.

So, according to Kai, the latest and greatest cipher list (as of Feb 2017) is the following, reproduced here for completeness sake:

!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:-MD5:-SSLv3:-RC4

So, now we need to apply this cipher list, and as luck will have it, it’s again under the SSL Profile that we improved last time.

F5_SSL_Profiles

Go under  Local Traffic -> Profiles -> SSL -> Client and select the Profile you’d like to edit.

Ciphers1

After selecting Configuration: Advanced at the top of the page, scroll down to Ciphers and check Custom at the right hand side.

Ciphers2

Click the radio button Cipher String and insert the string we borrowed from F5 into the text box.

After this you can just save your profile and rerun the SSL Test

A Grade

Which should give you the sought-after A Grade!

Also check out the other instalments of this series:

Fixing SSL Labs Grade on F5 Big-IP – Certificate Chains
Fixing SSL Labs Grade on F5 Big-IP – ECDH public server param reuse
Fixing SSL Labs Grade on F5 Big-IP – Disabling TLSv1 and TLSv1.1

Categories: Networks, Tech

Tags: , , , , , ,

8 replies

  1. Nurul Azati
    May 17, 2022 • 23:06

    Hey.

    This is helpful as I’m in the midst of disabling the tls1.1.
    May I know how you run the SSL Test?

    Reply ↓

Trackbacks

  1. Fixing SSL Labs Grade on F5 Big-IP – ECDH public server param reuse – Grumpy Techie
  2. Fixing SSL Labs Grade on F5 Big-IP – Disabling TLSv1 and TLSv1.1 – Grumpy Techie
  3. Fixing SSL Labs Grade on F5 Big-IP – Certificate Chains – Grumpy Techie
  4. Fixing SSL Labs Grade on F5 Big-IP – Enabling TLSv1.3 – Grumpy Techie
  5. Fixing SSL Labs Grade on F5 Big-IP – Custom Cipher Groups – Grumpy Techie
  6. Fixing SSL Labs Grade on F5 Big-IP – Enabling HSTS – Grumpy Techie

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: