SSL Accelerated Services

1 Introduction

KEMP Technologies leads the industry in driving the price/performance value proposition for application delivery and load balancing to levels that our customers can afford. Our products’ versatile and powerful architecture provide the highest value, while enabling our customers to optimize their businesses that rely on Internet-based infrastructure to conduct business with their customers, employees and partners.

KEMP Technologies products optimize web and application infrastructure as defined by high-availability, high-performance, flexible scalability, security and ease of management. They maximize the total cost-of-ownership for web infrastructure, while enabling flexible and comprehensive deployment options.

1.1 Document Purpose

This document describes various aspects of SSL Accelerated Services using the KEMP LoadMaster.  It describes in detail how to configure SSL Accelerated Services using the LoadMaster Web User Interface (WUI).

1.2 Intended Audience

This document is intended to help anyone who wishes to learn about or implement the SSL Accelerated Services within the KEMP LoadMaster.

2  Create an SSL Accelerated Virtual Service

 This section will explain how to create a Virtual Service with SSL Acceleration activated.

 SSL Acceleration transfers the processing of SSL from the Real Servers to the LoadMaster, meaning that only one certificate is required per Virtual Service.

 When SSL Acceleration is enabled, communication from the LoadMaster to the Real Servers is unencrypted.

2.1  Adding an SSL Virtual Service

 The process for adding an SSL-enabled Virtual Service is the same for a regular Virtual Service.  First, add the Virtual Service. In the main menu of the LoadMaster WUI, select Virtual Services and Add New.  A screen will appear asking to enter the Virtual Address, Port, Service Name and Protocol.

Adding an SSL Virtual Service.png

 The port defaults to port 80, which is the standard HTTP port. If an SSL-enabled Virtual Service is being created, change the port to 443, which is the default HTTPS port. Keep the protocol as tcp, and click Add this Virtual Service.

 The Virtual Service properties screen will appear. Among the various sections in this screen is SSL Properties

Adding an SSL Virtual Service_1.png

 To enable SSL for this Virtual Service, select the Enabled check box.

A warning will appear saying that a temporary certificate will be used for the service.  Click OK.

 As soon as SSL is enabled, the LoadMaster will install a self-signed certificate for the Virtual Service. 

The checkboxes in the Supported Protocols section allow you to specify which protocols should be supported by the Virtual Service. By default, TLS1.1 and TLS 1.2 protocols are enabled and SSLv3 and TLS1.0 are disabled.default.

Starting with version 7.2.37, when re-encryption is enabled, the TLS version that can be negotiated between the LoadMaster and the Real Servers behind it are no longer constrained by the TLS version settings configured on the client side. All TLS versions and ciphers that are supported on the LoadMaster can be negotiated without restriction by Real Servers. In this way, the LoadMaster can, for example, provide strict security for client-side application access and still support server-side connections to legacy servers that only support specific, less secure, TLS versions and ciphers. This is illustrated in the example below.

010.png

Selecting the require Server Name Identifier (SNI) hostname check box means that the hostname will always be required to be sent in the TLS client hello message.

When Require SNI hostname is disabled, the first certificate in the list of Assigned Certificates as a host header match is not found.

SNI.png

When Require SNI hostname is enabled, a certificate with a matching host name must be found, otherwise the connection is dropped. This also supports wildcard certificates.

Multiple certificates are supported. Wildcard certificates work regardless of what position they are in. SNI can find certificates by Subject Alternative Name (SAN) when the certificate is not in the first position. SNI will choose the first matching certificate in a list if multiple certificates contain the same name in either the Common Name or SAN name.

When using a Subject Alternative Name (SAN) certificate, alternate source names are not matched against the host header.

 

Wildcard certificates are supported but please note that the root domain name will not be matched as per RFC 2459. Only anything to the left of the dot will be matched. Additional certificates must be added to match the root domain names. For example, www.kemptechnologies.com will be matched until a wildcard of *.kemptechnologies.com. Kemptechnologies.com will not be matched.

After you have added certificates to the LoadMaster (see the  Adding an SSL Certificate section) you can assign one or more certificates to the Virtual Service by selecting them in the Available Certificates list, clicking the right arrow and clicking the Set Certificates button. Both internal and external certificates can be assigned to the same Virtual Service.

A description of each of the options in the Client Certificates drop-down is provided below:

No Client Certificates required: enables the LoadMaster to accept HTTPS requests from any client. This is the recommended option.

By default the LoadMaster will accept HTTPS requests from any client. Selecting any of the other values below will require all clients to present a valid client certificate. In addition, the LoadMaster can also pass information about the certificate to the application.

This option should not be changed from the default of No Client Certificates required. Only change from the default option if you are sure that all clients that access this service have valid client certificates.

Client Certificates required: requires that all clients forwarding a HTTPS request must present a valid client certificate.

Client Certificates and add Headers: requires that all clients forwarding a HTTPS request must present a valid client certificate. The LoadMaster also passes information about the certificate to the application by adding headers.

The below options send the certificate in its original raw form. The different options let you specify the format that you want to send the certificate in:

- Client Certificates and pass DER through as SSL-CLIENT-CERT

- Client Certificates and pass DER through as X-CLIENT-CERT

- Client Certificates and pass PEM through as SSL-CLIENT-CERT

- Client Certificates and pass PEM through as X-CLIENT-CERT

 Real Servers can be added to this SSL Virtual Service by clicking Add New in the Real Servers section. 

Adding an SSL Virtual Service_2.png

 When adding Real Servers, ensure to add them on port 80 (or whatever port that the non-SSL service is running on), and not port 443. 

2.2  Adding an SSL Certificate

 If you have a Certificate Authority (CA)-signed certificate to use with an SSL-enabled Virtual Service, or have a custom self-signed certificate, this can be added to the Virtual Service through the WUI.

Adding an SSL Certificate.png

 There is a button called Manage Certificates that you can click to add an (RSA or EC) SSL certificate.

Adding an SSL Certificate_1.png

 There is also an Add New button in the View/Modify Services screen in the Certificates Installed column.

Adding an SSL Certificate_2.png

Either route opens the same screen; the screen to input the certificate information.

At this point there are two options; Add Intermediate and Import Certificate.

 

Add Intermediate

Adding an SSL Certificate_3.png

Clicking this button will allow you to add an intermediate certificate as a temporary measure.  Browse to where the file is stored, enter the desired name in the Desired File Name field and click the Add Certificate button.

 

Import Certificate

Adding an SSL Certificate_4.png

The certificate and key file can be added from this screen. The Passphrase (password) that the certificate was created with will need to be entered. The certificate can be given a name in the Certificate Identifier text box.

To import a certificate, follow the steps below:

1. Click the Choose File button next Certificate File and select the required certificate file.

2. Click the Choose File button next to Key File and select the relevant key file, if required.

3. Enter the relevant pass phrase in the Pass Phrase text box (if required).

4. Enter a recognisable name in the Certificate Identifier text box.

5. Click Save.

Transactions Per Second (TPS) Performance will vary based on key length.  Larger keys will reduce performance.

Adding an SSL Certificate_5.png

6. The certificate can then be assigned to a Virtual Service(s) by selecting the relevant IP address(s) in the Available VSs list, clicking the right arrow and clicking Save Changes.

Adding an SSL Certificate_6.png

Certificates can also be assigned to a Virtual Service within the Modify Virtual Service screen.

2.3  Checking Certificate Installations

Some browsers have functionality that allows a check of the nature of the certificate installed on the website being connecting to. This can be useful when troubleshooting a certificate problem.

 When browsing an SSL site, HTTPS should be displayed in the address and there may be an icon signifying a secure link (a padlock icon).

padlock-certificate

 The icon can be clicked to see information about the certificate that is used with that SSL site.

2.4 Intermediate Certificates

 Some certificates issued by Certificate Authorities require a third certificate, often referred to as an intermediate certificate, or third-party certificate. This additional certificate provides a chain path from the CA to the certificate issued to your site.

While some CAs use intermediate certificates, others do not. Check with your CA to determine if one is needed. 

 If a CA certificate has been installed, and an SSL error appears when browsing the Virtual Service, it is likely that an intermediate certificate needs to be installed.

Uploading several consecutive intermediate certificates within a single piece of text, as practiced by some certificate vendors such as GoDaddy, is allowed. The uploaded file is split into individual certificates.

2.5 Installing Intermediate Certificates

Installing an intermediate certificate is simple to do through the WUI. First, obtain the intermediate certificate from the CA. This can usually be found on their web site, and is usually in a text window to make it easier to cut and paste.

To install an intermediate certificate please complete the following steps:

1. Navigate to Certificates & Security > Intermediate Certs in the main menu.

2. Click Add New.

Installing Intermediate Certificates.png

3. Click Choose File.

4. Browse to and select the required certificate file.

5. Enter the Desired File Name.

6. Click Add Certificate.

7. Click OK.

These third party/intermediate certificates do not need to be associated with any Virtual Service certificates. The LoadMaster will automatically build the required certificate chain. 

Also, only one intermediate certificate is required per CA. If several certificates have been installed from VeriSign, for instance, you only need to install the VeriSign intermediate certificate once. 

2.6 IIS Certificates

 This section outlines how to migrate SSL from Microsoft Internet Information Services (IIS) to the LoadMaster.

 When putting a LoadMaster in a situation where a Microsoft IIS server was previously performing SSL, there is an option to import the IIS certificate into the LoadMaster. This SSL certificate can be migrated from Microsoft IIS to the LoadMaster by completing two simple tasks. The first task is to export the SSL certificate from the IIS using Microsoft export tools; ensure to export the certificate and private key as a Personal Information Exchange File (PFX). The second step is to import the PFX file into the LoadMaster using the LoadMaster WUI. To start the import process on the LoadMaster simply click the Add New button in the SSL enabled Virtual Service and install the certificate as per the instructions in the  Adding an SSL Certificate section.

2.7  Re-encrypt SSL

 With SSL acceleration, the SSL session is terminated at the LoadMaster, and sent to the Real Servers unencrypted. In some security situations, it may be necessary to encrypt the connection between the LoadMaster and Real Servers. This can be done with reencrypt SSL. 

 With reencrypt SSL, the SSL session is first terminated at the LoadMaster. Persistence and other Layer 7 functionality can then be performed. After that, the traffic is re-encrypted in a new SSL session between the LoadMaster and the Real Server.

Re encrypt SSL.png

 This is turned on by a single option in the properties screen of a Virtual Service in the SSL section.

2.8 Assigning a Client Certificate for Re-encryption

It is possible to require client certificates when SSL re-encryption is enabled. To assign a client certificate for re-encryption, follow the steps below:

1. In the main menu of the LoadMaster WUI, go to Certificates & Security > SSL Certificates.

Assigning a Client Certificate.png

2. Click Reencryption Usage on the relevant certificate.

Assigning a Client Certificate_1.png

3. Select the relevant IP address from the Available VSs box.

4. Click the right arrow.

5. Click Save Changes.

Assigning a Client Certificate_2.png

The Reencryption Client Certificate is displayed in the SSL Properties section of the relevant Virtual Service.

2.9  Certificate Signing Request (CSR)

You can create a CSR for submission to your signing authority of choice. Using the WUI, navigate to Certificates & Security > Generate CSR. Fill in the information and click Create CSR. CSRs generated by the LoadMaster use SHA256.

 

Caution
Store the private key in a vault. The private key will be required once the authority creates the certificate.

2.10  Backup/Restore Certificates

 The LoadMaster supports exporting of ALL certificate information. This includes private key, host and intermediate certificates. The export file is designed to be used for import into another LoadMaster and is encrypted. Export and import can be completed using the WUI at Certificates & Security > Backup/Restore Certs.  Please make sure to note the passphrase used to create the export - it will be required to complete the import.

There are options to restore only Virtual Service certificates including private keys, intermediate certificates or both. 

2.11 SSL Ciphers

The LoadMaster supports SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2.

Ciphers define how the data stream is encrypted. The LoadMaster supports ciphers supporting perfect forward secrecy and Elliptic Curve.

SSL Ciphers.png

Each Virtual Service (which has SSL Acceleration enabled) has a cipher set assigned to it. This can either be one of the system-defined cipher sets or a user-customized cipher set. The system-defined cipher sets can be selected to quickly and easily select and apply the relevant ciphers.

A cipher set also needs to be assigned to the LoadMaster WUI. To set the WUI cipher set, go to Certificates & Security > Admin WUI Access.

The system-defined cipher sets are as follows:

Default: The current default set of ciphers in the LoadMaster.

Default_NoRc4: The Default_NoRc4 cipher set contains the same ciphers as the default cipher set, except without the RC4 ciphers (which are considered to be insecure).

BestPractices: This is the recommended cipher set to use. This cipher set is for services that do not need backward compatibility - the ciphers provide a higher level of security. The configuration is compatible with Firefox 27, Chrome 22, IE 11, Opera 14 and Safari 7.

Intermediate_compatibility: For services that do not need compatibility with legacy clients (mostly Windows XP), but still need to support a wide range of clients, this configuration is recommended. It is compatible with Firefox 1, Chrome 1, IE 7, Opera 5 and Safari 1.

Backward_compatibility: This is the old cipher suite that works with clients back to Windows XP/IE6. This should be used as a last resort only.

WUI: This is the cipher set recommended to be used as the WUI cipher set.

FIPS: Ciphers which conform to FIPS (Federal Information Processing Standards).

Legacy: This is the set of ciphers that were available on the old LoadMaster firmware (v7.0-10) before OpenSSL was updated.

Refer to Appendix A for a full list of the ciphers supported by the LoadMaster, and a breakdown of what ciphers are in each of the system-defined cipher sets.

KEMP Technologies reserves the right to change the contents of these cipher sets as required.

Clicking the Modify Cipher Set button will bring you to the Cipher Set Management screen. This screen allows you to create new and modify existing custom cipher sets.

Starting with version 7.2.37, when re-encryption is enabled, the TLS version that can be negotiated between the LoadMaster and the Real Servers behind it are no longer constrained by the TLS version settings configured on the client side. All TLS versions and ciphers that are supported on the LoadMaster can be negotiated without restriction by Real Servers. In this way, the LoadMaster can, for example, provide strict security for client-side application access and still support server-side connections to legacy servers that only support specific, less secure, TLS versions and ciphers. This is illustrated in the example below.

010.png

2.11.1 Cipher Set Management

Cipher Set Management.png

Two lists are displayed – Available Ciphers and Assigned Ciphers. These lists can be filtered by typing some text into the Filter text boxes provided. iThe Filter text boxes will only allow you to enter valid text which is contained in the cipher names, for example ECDHE. If invalid text is entered, the text box will turn red and the invalid text is deleted.

Ciphers can be dragged and dropped to/from the Available and Assigned lists as needed. Ciphers which are already assigned will appear greyed out in the Available Ciphers list.

Changes cannot be made to a preconfigured cipher set. However, you can start with a preconfigured cipher set – make any changes as needed and then save the cipher set with a new custom name. Enter the new name in the Save as text box and click the Save button. Custom cipher sets can be used across different Virtual Services and can be assigned as the WUI cipher set.

It is not possible to delete preconfigured cipher sets. However, custom cipher sets can be deleted by selecting the relevant custom cipher set and clicking the Delete Cipher set button.

The RC4-MND5 SSLv3 and RC4-MND5 SSLv3 ciphers are not supported for WUI connections (this is to improve security).

The RC4 ciphers are supported with (and can be assigned to) Virtual Services if needed.

2.12  WUI Root Certificate Installation

By default the LoadMaster uses a self-signed certificate to ensure secure administrative access to the WUI. However, most modern browsers will display a warning when such a certificate is used.

WUI Root Certificate Installation.png

In order to eliminate this warning, the LoadMaster certificate can be installed by clicking the Download Root Cert button in the main menu on the Home page, when you first access the WUI in a browser.

If this button is not visible, go to the WUI Home and refresh the page.

This will download the certificate file that can be installed on the browser so that the security warning can be avoided.

2.13 OCSP Configuration

A Common Access Card (CAC) is a smart card used for identification of active-duty military personnel, selected reserve, US Department of Defence (DoD) civilian employees and eligible contractor personnel. In addition to providing physical access to buildings and protected areas, it also allows access to DoD computer networks and systems satisfying two-factor authentication, digital security and data encryption. It leverages a Public Key Infrastructure (PKI) Security Certificate to verify a cardholder’s identity prior to allowing access to protected resources.

The Edge Security Pack (ESP) feature of the KEMP LoadMaster supports integration with DoD environments, leveraging CAC authentication and Active Directory application infrastructures. The LoadMaster acts on behalf of clients presenting X.509 certificates using CAC and becomes the authenticated Kerberos client for services.

The request for and presentation of the client certificate happens during initial SSL session establishment. There are two core elements to the process of a user gaining access to an application with CAC:

Authentication – occurs during SSL session establishment and entails:

- Verifying the certificate date

- Verifying revocation status using Online Certificate Status Protocol (OCSP)

- Verifying the full chain to the Certificate Authority (CA)

Authorization – occurs after SSL session establishment and the matching of the certificate Subject Alternative Name (SAN) against the User Principal Name (UPN) of the appropriate principal in Active Directory.

For more information, refer to the DoD Common Access Card (CAC) Authentication, Feature Description document.

2.13.1 OCSP Server Settings

The OCSP server settings can be set in the LoadMaster WUI in Certificates & Security > OCSP Configuration.

OCSP Server Settings.png

OCSP Server

The address of the OCSP server.

OCSP Server Port

The port of the OCSP server.

OCSP URL

The URL to access on the OCSP server.

Use SSL

Select this to use SSL to connect to the OCSP server.

Allow Access on Server Failure

Treat an OCSP server connection failure or timeout as if the OCSP server had returned a valid response, that is, treat the client certificate as valid.

2.14 Setting the Diffie-Hellman Key Exchange Size

The Diffie-Helman Key Exchange Size is set to 2048 Bits by default in the LoadMaster. This can be changed if needed. To change the Diffie-Hellman Key Exchange Size, follow the steps below:

1. In the main menu of the LoadMaster WUI, go to System Configuration > Miscellaneous Options > Network Options.

Setting the Diffie Hellman.png

2. Select the relevant option in the Size of Diffie-Helman Key Exchange drop-down list. Available values are:

- 512 Bits

- 1024 Bits

- 2048 Bits

3. A reboot is required to apply the change. To reboot the LoadMaster, go to System Configuration > System Administration > System Reboot and click Reboot.

3 WUI Options

This section provides a description for each of the WUI options relating to SSL.

3.1 SSL Properties

SSL Properties.png

SSL Acceleration

 This checkbox appears when the criteria for SSL Acceleration have been met, and serves to activate SSL Acceleration.

Enabled: If the Enabled check box is selected, and there is no certificate for the Virtual Service, you are prompted to install a certificate. A certificate can be added by clicking the Manage Certificates button and importing or adding a certificate.

Reencrypt: Selecting the Reencrypt checkbox re-encrypts the SSL data stream before sending it to the Real Server.

Reversed: Selecting this checkbox will mean that the data from the LoadMaster to the Real Server is re-encrypted. The input stream must not be encrypted. This is only useful in connection with a separate Virtual Service which decrypts SSL traffic then uses this Virtual Service as a Real Service and loops data back to it. In this way, the client to real server data path is always encrypted on the wire.

Supported Protocols

The checkboxes in the Supported Protocols section enables you to specify which protocols should be supported by the Virtual Service. By default, TLS1.1 and TLS 1.2 are enabled and SSLv3 and TLS1.0 are disabled.

Starting with version 7.2.37, when re-encryption is enabled, the TLS version that can be negotiated between the LoadMaster and the Real Servers behind it are no longer constrained by the TLS version settings configured on the client side. All TLS versions and ciphers that are supported on the LoadMaster can be negotiated without restriction by Real Servers. In this way, the LoadMaster can, for example, provide strict security for client-side application access and still support server-side connections to legacy servers that only support specific, less secure, TLS versions and ciphers. This is illustrated in the example below.

010.png

Require SNI hostname

If require Server Name Indication (SNI) is selected, the hostname will always be required to be sent in the TLS client hello message.

When Require SNI hostname is disabled, the first certificate is used if a host header match is not found.

When Require SNI hostname is enabled, a certificate with a matching common name must be found, otherwise an SSL error is yielded. Wildcard certificates are also supported with SNI.

When using a Subject Alternative Name (SAN) certificate, alternate source names are not matched against the host header.

Wildcard certificates are supported but please note that the root domain name will not be matched as per RFC 2459. Only anything to the left of the dot is matched. Additional certificates must be added to match the root domain names. For example, www.kemptechnologies.com is matched until a wildcard of *.kemptechnologies.com. Kemptechnologies.com will not be matched.

To send SNI host information in HTTPS health checks, please enable Use HTTP/1.1 in the Real Servers section of the relevant Virtual Service(s) and specify a host header. If this is not set, the IP address of the Real Server is used.

Certificates

Available certificates are listed in the Available Certificates select list on the left. To assign or unassign a certificate, select it and click the right or left arrow button. Then click Set Certificates. Multiple certificates can be selected by holding Ctrl on your keyboard and clicking each required certificate.

Clicking the Manage Certificates button brings you to the SSL Certificates screen.

Reencryption Client Certificate

With SSL connections, the LoadMaster gets a certificate from the client and also gets a certificate from the server. The LoadMaster transcribes the client certificate in a header and sends the data to the server. The server still expects a certificate. This is why it is preferable to install a pre-authenticated certificate in the LoadMaster.

Reencryption SNI Hostname

Specify the Server Name Indication (SNI) hostname that should be used when connecting to the Real Servers.

This field is only visible when SSL re-encryption is enabled.

Cipher Set

A cipher is an algorithm for performing encryption or decryption.

Each Virtual Service (which has SSL Acceleration enabled) has a cipher set assigned to it. This can either be one of the system-defined cipher sets or a user-customized cipher set. The system-defined cipher sets can be selected to quickly and easily select and apply the relevant ciphers. Custom cipher sets can be created and modified by clicking the Modify Cipher Set button.

Ciphers

The Ciphers list is read only and displays a list of the currently assigned ciphers. Clicking the Modify Cipher Set button will bring you to the Cipher Set Management screen. This screen allows you to create new and modify existing custom cipher sets.

Client Certificates

No Client Certificates required: enables the LoadMaster to accept HTTPS requests from any client. This is the recommended option.

By default the LoadMaster will accept HTTPS requests from any client. Selecting any of the other values below will require all clients to present a valid client certificate. In addition, the LoadMaster can also pass information about the certificate to the application.

This option should not be changed from the default of No Client Certificates required. Only change from the default option if you are sure that all clients that access this service have valid client certificates.

Client Certificates required: requires that all clients forwarding a HTTPS request must present a valid client certificate.

Client Certificates and add Headers: requires that all clients forwarding a HTTPS request must present a valid client certificate. The LoadMaster also passes information about the certificate to the application by adding headers.

The below options send the certificate in its original raw form. The different options let you specify the format that you want to send the certificate in:

- Client Certificates and pass DER through as SSL-CLIENT-CERT

- Client Certificates and pass DER through as X-CLIENT-CERT

- Client Certificates and pass PEM through as SSL-CLIENT-CERT

- Client Certificates and pass PEM through as X-CLIENT-CERT

Verify Client using OCSP

Verify (using Online Certificate Status Protocol (OCSP)) that the client certificate is valid.

This option is only visible when ESP is enabled.

3.2 Certificates & Security

The sections below describe the various screens in the Certificates & Security section of the LoadMaster WUI.

3.2.1 SSL Certificates

The SSL certificates screen looks different depending on whether the Hardware Security Module (HSM) feature is enabled or not. To find out more about HSM, refer to the Hardware Security Module (HSM), Feature Description on the KEMP Documentation Page.

Refer to the relevant section below, depending on your settings, to find out more information about the SSL certificates screen.

3.2.2 Intermediate Certificates

Intermediate Certificates.png

This screen shows a list of the installed intermediate certificates and the name assigned to them.

Intermediate Certificates_1.png

If you already have a certificate, or you have received one from a CSR, you can install the certificate by clicking the Choose File button. Navigate to and select the certificate and then enter the desired Certificate Name. The name can only contain alpha characters with a maximum of 32 characters.

Uploading several consecutive intermediate certificates within a single piece of text, as practiced by some certificate vendors such as GoDaddy, is allowed. The uploaded file is split into the individual certificates.

3.2.3 Generate CSR (Certificate Signing Request)

If you do not have a certificate, you may complete the Certificate Signing Request (CSR) from and click the Create CSR button. CSRs generated by the LoadMaster use SHA256.

Generate CSR Certificate Signing.png

2 Letter Country Code (ex. US)

The 2 letter country code that should be included in the certificate, for example US should be entered for the United States.

State/Province (Entire Name – New York, not NY)

The state which should be included in the certificate. Enter the full name here, for example New York, not NY.

City

The name of the city that should be included in the certificate.

Company

The name of the company which should be included in the certificate.

Organization (e.g., Marketing,Finance,Sales)

The department or organizational unit that should be included in the certificate.

Common Name

The Fully Qualified Domain Name (FQDN) for your web server.

Email Address

The email address of the responsible person or organization that should be contacted regarding this certificate.

SAN/UCC Names

A space-separated list of alternate names.

Alter clicking the Create CSR button, the following screen appears:

Generate CSR Certificate Signing_1.png

The top part of the screen should be copied and pasted into a plain text file and sent to the Certificate Authority of your choice. They will validate the information and return a validated certificate.

The lower part of the screen is your private key and should be kept in a safe place. This key should not be disseminated as you will need it to use the certificate.  Copy and paste the private key into a plain text file (do not use an application such as Microsoft Word) and keep the file safe.

3.2.4 Backup/Restore Certs

This screen will be different depending on whether HSM has been enabled or not. Refer to the relevant section below, depending on the LoadMaster configuration.

3.2.5 Cipher Sets

Cipher Sets.png

Cipher Set

Select the cipher set to view/modify.

The system-defined cipher sets are as follows:

Default: The current default set of ciphers in the LoadMaster.

Default_NoRc4: The Default_NoRc4 cipher set contains the same ciphers as the default cipher set, except without the RC4 ciphers (which are considered to be insecure).

BestPractices: This is the recommended cipher set to use. This cipher set is for services that do not need backward compatibility - the ciphers provide a higher level of security. The configuration is compatible with Firefox 27, Chrome 22, IE 11, Opera 14 and Safari 7.

Intermediate_compatibility: For services that do not need compatibility with legacy clients (mostly Windows XP), but still need to support a wide range of clients, this configuration is recommended. It is compatible with Firefox 1, Chrome 1, IE 7, Opera 5 and Safari 1.

Backward_compatibility: This is the old cipher suite that works with clients back to Windows XP/IE6. This should be used as a last resort only.

WUI: This is the cipher set recommended to be used as the WUI cipher set. The WUI cipher set can be selected in the Admin WUI Access screen. For further information, refer to the Admin WUI Access section.

FIPS: Ciphers which conform to FIPS (Federal Information Processing Standards).

Legacy: This is the set of ciphers that were available on the old LoadMaster firmware (v7.0-10) before OpenSSL was updated.

Refer to the SSL Accelerated Services, Feature Description on the KEMP Documentation Page for a full list of the ciphers supported by the LoadMaster, and a breakdown of what ciphers are in each of the system-defined cipher sets.

KEMP Technologies can change the contents of these cipher sets as required based on the best available information.

Two lists are displayed – Available Ciphers and Assigned Ciphers. These lists can be filtered by typing some text into the Filter text boxes provided. iThe Filter text boxes will only allow you to enter valid text which is contained in the cipher names, for example ECDHE. If invalid text is entered, the text box will turn red and the invalid text is deleted.

Ciphers can be dragged and dropped to/from the Available and Assigned lists as needed. Ciphers which are already assigned will appear greyed out in the Available Ciphers list.

Changes cannot be made to a preconfigured cipher set. However, you can start with a preconfigured cipher set – make any changes as needed and then save the cipher set with a new custom name. Enter the new name in the Save as text box and click the Save button. Custom cipher sets can be used across different Virtual Services and can be assigned as the WUI cipher set.

It is not possible to delete preconfigured cipher sets. However, custom cipher sets can be deleted by selecting the relevant custom cipher set and clicking the Delete Cipher set button.

3.2.6 OCSP Configuration

OCSP Configuration.png

OCSP Server

The address of the OCSP server.

OCSP Server Port

The port of the OCSP server.

OCSP URL

The URL to access on the OCSP server.

Use SSL

Select this to use SSL to connect to the OCSP server.

Allow Access on Server Failure

Treat an OCSP server connection failure or timeout as if the OCSP server had returned a valid response, that is, treat the client certificate as valid.

CSOC001.png

Enable OCSP Stapling

Select this check box to enable the LoadMaster to respond to OCSP stapling requests. If a client connects using SSL and asks for an OCSP response, this is returned. Only Virtual Service certificates are validated. The system holds a cache of OCSP responses that are sent back to the client. This cache is maintained by the OCSP daemon. When the OCSP daemon sends a request to the server, it uses the name specified in the certificate (in the Authority Information Access field). If it cannot resolve this name, then it uses the default OCSP server specified in the OCSP Server text box.

OCSP Refresh Interval

Specify how often the LoadMaster should refresh the OCSP stapling information. The OCSP daemon caches the entry for up to the amount of time specified here, after which it is refreshed. Valid values range from 1 hour (default) to 7 days.

4 Appendix A

Each of the following sub-sections provides a list of ciphers in each of the system-defined cipher sets that exist in the LoadMaster.

4.1 Default Cipher Set

Following is a full list of the ciphers supported by the LoadMaster. These are the ciphers that are in the Default system-defined cipher set:

1. ECDHE-RSA-AES256-GCM-SHA384

2. ECDHE-ECDSA-AES256-GCM-SHA384

3. ECDHE-RSA-AES256-SHA384

4. ECDHE-ECDSA-AES256-SHA384

5. ECDHE-RSA-AES256-SHA

6. ECDHE-ECDSA-AES256-SHA

7. DH-DSS-AES256-GCM-SHA384

8. DHE-DSS-AES256-GCM-SHA384

9. DH-RSA-AES256-GCM-SHA384

10. DHE-RSA-AES256-GCM-SHA384

11. DHE-RSA-AES256-SHA256

12. DHE-DSS-AES256-SHA256

13. DH-RSA-AES256-SHA256

14. DH-DSS-AES256-SHA256

15. DHE-RSA-AES256-SHA

16. DHE-DSS-AES256-SHA

17. DH-RSA-AES256-SHA

18. DH-DSS-AES256-SHA

19. DHE-RSA-CAMELLIA256-SHA

20. DHE-DSS-CAMELLIA256-SHA

21. DH-RSA-CAMELLIA256-SHA

22. DH-DSS-CAMELLIA256-SHA

23. ECDH-RSA-AES256-GCM-SHA384

24. ECDH-ECDSA-AES256-GCM-SHA384

25. ECDH-RSA-AES256-SHA384

26. ECDH-ECDSA-AES256-SHA384

27. ECDH-RSA-AES256-SHA

28. ECDH-ECDSA-AES256-SHA

29. AES256-GCM-SHA384

30. AES256-SHA256

31. AES256-SHA

32. CAMELLIA256-SHA

33. ECDHE-RSA-AES128-GCM-SHA256

34. ECDHE-ECDSA-AES128-GCM-SHA256

35. ECDHE-RSA-AES128-SHA256

36. ECDHE-ECDSA-AES128-SHA256

37. ECDHE-RSA-AES128-SHA

38. ECDHE-ECDSA-AES128-SHA

39. DH-DSS-AES128-GCM-SHA256

40. DHE-DSS-AES128-GCM-SHA256

41. DH-RSA-AES128-GCM-SHA256

42. DHE-RSA-AES128-GCM-SHA256

43. DHE-RSA-AES128-SHA256

44. DHE-DSS-AES128-SHA256

45. DH-RSA-AES128-SHA256

46. DH-DSS-AES128-SHA256

47. DHE-RSA-AES128-SHA

48. DHE-DSS-AES128-SHA

49. DH-RSA-AES128-SHA

50. DH-DSS-AES128-SHA

51. DHE-RSA-CAMELLIA128-SHA

52. DHE-DSS-CAMELLIA128-SHA

53. DH-RSA-CAMELLIA128-SHA

54. DH-DSS-CAMELLIA128-SHA

55. ECDH-RSA-AES128-GCM-SHA256

56. ECDH-ECDSA-AES128-GCM-SHA256

57. ECDH-RSA-AES128-SHA256

58. ECDH-ECDSA-AES128-SHA256

59. ECDH-RSA-AES128-SHA

60. ECDH-ECDSA-AES128-SHA

61. AES128-GCM-SHA256

62. AES128-SHA256

63. AES128-SHA

64. CAMELLIA128-SHA

65. ECDHE-RSA-RC4-SHA

66. ECDHE-ECDSA-RC4-SHA

67. ECDH-RSA-RC4-SHA

68. ECDH-ECDSA-RC4-SHA

69. RC4-SHA

70. RC4-MD5

71. ECDHE-RSA-DES-CBC3-SHA

72. ECDHE-ECDSA-DES-CBC3-SHA

73. EDH-RSA-DES-CBC3-SHA

74. EDH-DSS-DES-CBC3-SHA

75. DH-RSA-DES-CBC3-SHA

76. DH-DSS-DES-CBC3-SHA

77. ECDH-RSA-DES-CBC3-SHA

78. ECDH-ECDSA-DES-CBC3-SHA

79. DES-CBC3-SHA

4.2 Default_NoRc4 Cipher Set

These are the ciphers that are in the Default_NoRc4 system-defined cipher set:

1. ECDHE-RSA-AES256-GCM-SHA384

2. ECDHE-ECDSA-AES256-GCM-SHA384

3. ECDHE-RSA-AES256-SHA384

4. ECDHE-ECDSA-AES256-SHA384

5. ECDHE-RSA-AES256-SHA

6. ECDHE-ECDSA-AES256-SHA

7. DH-DSS-AES256-GCM-SHA384

8. DHE-DSS-AES256-GCM-SHA384

9. DH-RSA-AES256-GCM-SHA384

10. DHE-RSA-AES256-GCM-SHA384

11. DHE-RSA-AES256-SHA256

12. DHE-DSS-AES256-SHA256

13. DH-RSA-AES256-SHA256

14. DH-DSS-AES256-SHA256

15. DHE-RSA-AES256-SHA

16. DHE-DSS-AES256-SHA

17. DH-RSA-AES256-SHA

18. DH-DSS-AES256-SHA

19. DHE-RSA-CAMELLIA256-SHA

20. DHE-DSS-CAMELLIA256-SHA

21. DH-RSA-CAMELLIA256-SHA

22. DH-DSS-CAMELLIA256-SHA

23. ECDH-RSA-AES256-GCM-SHA384

24. ECDH-ECDSA-AES256-GCM-SHA384

25. ECDH-RSA-AES256-SHA384

26. ECDH-ECDSA-AES256-SHA384

27. ECDH-RSA-AES256-SHA

28. ECDH-ECDSA-AES256-SHA

29. AES256-GCM-SHA384

30. AES256-SHA256

31. AES256-SHA

32. CAMELLIA256-SHA

33. ECDHE-RSA-AES128-GCM-SHA256

34. ECDHE-ECDSA-AES128-GCM-SHA256

35. ECDHE-RSA-AES128-SHA256

36. ECDHE-ECDSA-AES128-SHA256

37. ECDHE-RSA-AES128-SHA

38. ECDHE-ECDSA-AES128-SHA

39. DH-DSS-AES128-GCM-SHA256

40. DHE-DSS-AES128-GCM-SHA256

41. DH-RSA-AES128-GCM-SHA256

42. DHE-RSA-AES128-GCM-SHA256

43. DHE-RSA-AES128-SHA256

44. DHE-DSS-AES128-SHA256

45. DH-RSA-AES128-SHA256

46. DH-DSS-AES128-SHA256

47. DHE-RSA-AES128-SHA

48. DHE-DSS-AES128-SHA

49. DH-RSA-AES128-SHA

50. DH-DSS-AES128-SHA

51. DHE-RSA-CAMELLIA128-SHA

52. DHE-DSS-CAMELLIA128-SHA

53. DH-RSA-CAMELLIA128-SHA

54. DH-DSS-CAMELLIA128-SHA

55. ECDH-RSA-AES128-GCM-SHA256

56. ECDH-ECDSA-AES128-GCM-SHA256

57. ECDH-RSA-AES128-SHA256

58. ECDH-ECDSA-AES128-SHA256

59. ECDH-RSA-AES128-SHA

60. ECDH-ECDSA-AES128-SHA

61. AES128-GCM-SHA256

62. AES128-SHA256

63. AES128-SHA

64. CAMELLIA128-SHA

65. ECDHE-RSA-DES-CBC3-SHA

66. ECDHE-ECDSA-DES-CBC3-SHA

67. EDH-RSA-DES-CBC3-SHA

68. EDH-DSS-DES-CBC3-SHA

69. DH-RSA-DES-CBC3-SHA

70. DH-DSS-DES-CBC3-SHA

71. ECDH-RSA-DES-CBC3-SHA

72. ECDH-ECDSA-DES-CBC3-SHA

73. DES-CBC3-SHA

4.3 Best Practices Cipher Set

These are the ciphers that are in the Best Practices system-defined cipher set:

1. ECDHE-RSA-AES256-GCM-SHA384

2. ECDHE-ECDSA-AES256-GCM-SHA384

3. DHE-DSS-AES256-GCM-SHA384

4. DHE-RSA-AES256-GCM-SHA384

5. ECDHE-RSA-AES256-SHA384

6. ECDHE-ECDSA-AES256-SHA384

7. ECDHE-RSA-AES256-SHA

8. ECDHE-ECDSA-AES256-SHA

9. DHE-RSA-AES256-SHA256

10. DHE-DSS-AES256-SHA

11. DHE-RSA-AES256-SHA

12. ECDHE-RSA-AES128-GCM-SHA256

13. ECDHE-ECDSA-AES128-GCM-SHA256

14. DHE-RSA-AES128-GCM-SHA256

15. DHE-DSS-AES128-GCM-SHA256

16. ECDHE-RSA-AES128-SHA256

17. ECDHE-ECDSA-AES128-SHA256

18. ECDHE-RSA-AES128-SHA

19. ECDHE-ECDSA-AES128-SHA

20. DHE-RSA-AES128-SHA256

21. DHE-RSA-AES128-SHA

22. DHE-DSS-AES128-SHA256

4.4 Intermediate_compatibility Cipher Set

These are the ciphers that are in the Intermediate_compatibility system-defined cipher set:

1. ECDHE-RSA-AES256-GCM-SHA384

2. ECDHE-ECDSA-AES256-GCM-SHA384

3. DHE-DSS-AES256-GCM-SHA384

4. DHE-RSA-AES256-GCM-SHA384

5. ECDHE-RSA-AES256-SHA384

6. ECDHE-ECDSA-AES256-SHA384

7. ECDHE-RSA-AES256-SHA

8. ECDHE-ECDSA-AES256-SHA

9. DHE-RSA-AES256-SHA256

10. DHE-DSS-AES256-SHA

11. DHE-RSA-AES256-SHA

12. AES256-GCM-SHA384

13. AES256-SHA256

14. AES256-SHA

15. SRP-DSS-AES-256-CBC-SHA

16. SRP-RSA-AES-256-CBC-SHA

17. SRP-AES-256-CBC-SHA

18. DH-DSS-AES256-GCM-SHA384

19. DH-RSA-AES256-GCM-SHA384

20. DHE-DSS-AES256-SHA256

21. DH-RSA-AES256-SHA256

22. DH-DSS-AES256-SHA256

23. DH-RSA-AES256-SHA

24. DH-DSS-AES256-SHA

25. DHE-RSA-CAMELLIA256-SHA

26. DHE-DSS-CAMELLIA256-SHA

27. DH-RSA-CAMELLIA256-SHA

28. DH-DSS-CAMELLIA256-SHA

29. CAMELLIA256-SHA

30. ECDHE-RSA-AES128-GCM-SHA256

31. ECDHE-ECDSA-AES128-GCM-SHA256

32. DHE-RSA-AES128-GCM-SHA256

33. DHE-DSS-AES128-GCM-SHA256

34. ECDHE-RSA-AES128-SHA256

35. ECDHE-ECDSA-AES128-SHA256

36. ECDHE-RSA-AES128-SHA

37. ECDHE-ECDSA-AES128-SHA

38. DHE-RSA-AES128-SHA256

39. DHE-RSA-AES128-SHA

40. DHE-DSS-AES128-SHA256

41. AES128-GCM-SHA256

42. AES128-SHA256

43. AES128-SHA

44. SRP-DSS-AES-128-CBC-SHA

45. SRP-RSA-AES-128-CBC-SHA

46. SRP-AES-128-CBC-SHA

47. DH-DSS-AES128-GCM-SHA256

48. DH-RSA-AES128-GCM-SHA256

49. DH-RSA-AES128-SHA256

50. DH-DSS-AES128-SHA256

51. DHE-DSS-AES128-SHA

52. DH-RSA-AES128-SHA

53. DH-DSS-AES128-SHA

54. DHE-RSA-CAMELLIA128-SHA

55. DHE-DSS-CAMELLIA128-SHA

56. DH-RSA-CAMELLIA128-SHA

57. DH-DSS-CAMELLIA128-SHA

58. CAMELLIA128-SHA

59. DES-CBC3-SHA

4.5 Backward_compatibility Cipher Set

These are the ciphers that are in the Backward_compatibility system-defined cipher set:

1. ECDHE-RSA-AES256-GCM-SHA384

2. ECDHE-ECDSA-AES256-GCM-SHA384

3. DHE-DSS-AES256-GCM-SHA384

4. DHE-RSA-AES256-GCM-SHA384

5. ECDHE-RSA-AES256-SHA384

6. ECDHE-ECDSA-AES256-SHA384

7. ECDHE-RSA-AES256-SHA

8. ECDHE-ECDSA-AES256-SHA

9. DHE-RSA-AES256-SHA256

10. DHE-DSS-AES256-SHA

11. DHE-RSA-AES256-SHA

12. AES256-GCM-SHA384

13. AES256-SHA256

14. AES256-SHA

15. SRP-DSS-AES-256-CBC-SHA

16. SRP-RSA-AES-256-CBC-SHA

17. SRP-AES-256-CBC-SHA

18. DH-DSS-AES256-GCM-SHA384

19. DH-RSA-AES256-GCM-SHA384

20. DHE-DSS-AES256-SHA256

21. DH-RSA-AES256-SHA256

22. DH-DSS-AES256-SHA256

23. DH-RSA-AES256-SHA

24. DH-DSS-AES256-SHA

25. DHE-RSA-CAMELLIA256-SHA

26. DHE-DSS-CAMELLIA256-SHA

27. DH-RSA-CAMELLIA256-SHA

28. DH-DSS-CAMELLIA256-SHA

29. CAMELLIA256-SHA

30. ECDHE-RSA-AES128-GCM-SHA256

31. ECDHE-ECDSA-AES128-GCM-SHA256

32. DHE-RSA-AES128-GCM-SHA256

33. DHE-DSS-AES128-GCM-SHA256

34. ECDHE-RSA-AES128-SHA256

35. ECDHE-ECDSA-AES128-SHA256

36. ECDHE-RSA-AES128-SHA

37. ECDHE-ECDSA-AES128-SHA

38. DHE-RSA-AES128-SHA256

39. DHE-RSA-AES128-SHA

40. DHE-DSS-AES128-SHA256

41. AES128-GCM-SHA256

42. AES128-SHA256

43. AES128-SHA

44. SRP-DSS-AES-128-CBC-SHA

45. SRP-RSA-AES-128-CBC-SHA

46. SRP-AES-128-CBC-SHA

47. DH-DSS-AES128-GCM-SHA256

48. DH-RSA-AES128-GCM-SHA256

49. DH-RSA-AES128-SHA256

50. DH-DSS-AES128-SHA256

51. DHE-DSS-AES128-SHA

52. DH-RSA-AES128-SHA

53. DH-DSS-AES128-SHA

54. DHE-RSA-CAMELLIA128-SHA

55. DHE-DSS-CAMELLIA128-SHA

56. DH-RSA-CAMELLIA128-SHA

57. DH-DSS-CAMELLIA128-SHA

58. CAMELLIA128-SHA

59. ECDHE-RSA-DES-CBC3-SHA

60. ECDHE-ECDSA-DES-CBC3-SHA

61. DES-CBC3-SHA

62. SRP-DSS-3DES-EDE-CBC-SHA

63. SRP-RSA-3DES-EDE-CBC-SHA

64. SRP-3DES-EDE-CBC-SHA

65. DH-RSA-DES-CBC3-SHA

66. DH-DSS-DES-CBC3-SHA

4.6 WUI Cipher Set

These are the ciphers that are in the WUI system-defined cipher set:

1. ECDHE-RSA-AES256-GCM-SHA384

2. ECDHE-ECDSA-AES256-GCM-SHA384

3. ECDHE-RSA-AES256-SHA384

4. ECDHE-ECDSA-AES256-SHA384

5. ECDHE-RSA-AES256-SHA

6. ECDHE-ECDSA-AES256-SHA

7. DH-DSS-AES256-GCM-SHA384

8. DHE-DSS-AES256-GCM-SHA384

9. DH-RSA-AES256-GCM-SHA384

10. DHE-RSA-AES256-GCM-SHA384

11. DHE-RSA-AES256-SHA256

12. DHE-DSS-AES256-SHA256

13. DH-RSA-AES256-SHA256

14. DH-DSS-AES256-SHA256

15. DHE-RSA-AES256-SHA

16. DHE-DSS-AES256-SHA

17. DH-RSA-AES256-SHA

18. DH-DSS-AES256-SHA

19. DHE-RSA-CAMELLIA256-SHA

20. DHE-DSS-CAMELLIA256-SHA

21. DH-RSA-CAMELLIA256-SHA

22. DH-DSS-CAMELLIA256-SHA

23. ECDH-RSA-AES256-GCM-SHA384

24. ECDH-ECDSA-AES256-GCM-SHA384

25. ECDH-RSA-AES256-SHA384

26. ECDH-ECDSA-AES256-SHA384

27. ECDH-RSA-AES256-SHA

28. ECDH-ECDSA-AES256-SHA

29. AES256-GCM-SHA384

30. AES256-SHA256

31. AES256-SHA

32. CAMELLIA256-SHA

33. ECDHE-RSA-AES128-GCM-SHA256

34. ECDHE-ECDSA-AES128-GCM-SHA256

35. ECDHE-RSA-AES128-SHA256

36. ECDHE-ECDSA-AES128-SHA256

37. ECDHE-RSA-AES128-SHA

38. ECDHE-ECDSA-AES128-SHA

39. DH-DSS-AES128-GCM-SHA256

40. DHE-DSS-AES128-GCM-SHA256

41. DH-RSA-AES128-GCM-SHA256

42. DHE-RSA-AES128-GCM-SHA256

43. DHE-RSA-AES128-SHA256

44. DHE-DSS-AES128-SHA256

45. DH-RSA-AES128-SHA256

46. DH-DSS-AES128-SHA256

47. DHE-RSA-AES128-SHA

48. DHE-DSS-AES128-SHA

49. DH-RSA-AES128-SHA

50. DH-DSS-AES128-SHA

51. DHE-RSA-CAMELLIA128-SHA

52. DHE-DSS-CAMELLIA128-SHA

53. DH-RSA-CAMELLIA128-SHA

54. DH-DSS-CAMELLIA128-SHA

55. ECDH-RSA-AES128-GCM-SHA256

56. ECDH-ECDSA-AES128-GCM-SHA256

57. ECDH-RSA-AES128-SHA256

58. ECDH-ECDSA-AES128-SHA256

59. ECDH-RSA-AES128-SHA

60. ECDH-ECDSA-AES128-SHA

61. AES128-GCM-SHA256

62. AES128-SHA256

63. AES128-SHA

64. CAMELLIA128-SHA

65. ECDHE-RSA-DES-CBC3-SHA

66. ECDHE-ECDSA-DES-CBC3-SHA

67. EDH-RSA-DES-CBC3-SHA

68. EDH-DSS-DES-CBC3-SHA

69. DH-RSA-DES-CBC3-SHA

70. DH-DSS-DES-CBC3-SHA

71. ECDH-RSA-DES-CBC3-SHA

72. ECDH-ECDSA-DES-CBC3-SHA

73. DES-CBC3-SHA

4.7 FIPS Cipher Set

These are the ciphers that are in the FIPS system-defined cipher set:

1. ECDHE-RSA-AES256-SHA384

2. ECDHE-ECDSA-AES256-SHA384

3. DHE-RSA-AES256-SHA256

4. DHE-DSS-AES256-SHA256

5. DH-RSA-AES256-SHA256

6. DH-DSS-AES256-SHA256

7. ECDH-RSA-AES256-SHA384

8. ECDH-ECDSA-AES256-SHA384

9. AES256-SHA256

10. AES256-SHA

11. ECDHE-RSA-AES128-SHA256

12. ECDHE-ECDSA-AES128-SHA256

13. DHE-RSA-AES128-SHA256

14. DHE-DSS-AES128-SHA256

15. DH-RSA-AES128-SHA256

16. DH-DSS-AES128-SHA256

17. ECDH-RSA-AES128-SHA256

18. ECDH-ECDSA-AES128-SHA256

19. AES128-SHA256

20. AES128-SHA

21. DES-CBC3-SHA

4.8 Legacy Cipher Set

These are the ciphers that are in the Legacy system-defined cipher set:

1. DHE-RSA-AES256-SHA

2. DHE-DSS-AES256-SHA

3. AES256-SHA

4. ADH-RC4-MD5

5. IDEA-CBC-SHA

6. RC4-SHA

7. RC4-MD5

8. ADH-AES128-SHA

9. DHE-RSA-AES128-SHA

10. DHE-DSS-AES128-SHA

11. AES128-SHA

12. ADH-DES-CBC3-SHA

13. EDH-RSA-DES-CBC3-SHA

14. EDH-DSS-DES-CBC3-SHA

15. DES-CBC3-SHA

References

Unless otherwise specified, the following documents can be found at: http://kemptechnologies.com/documentation.

Web User Interface (WUI), Configuration Guide

KEMP LoadMaster, Product Overview

DoD Common Access Card (CAC) Authentication, Feature Description

RESTful API, Interface Description

SSL Accelerated Services for the LM5305 FIPS, Feature Description

 

 

Document History

 

Date

Change

Reason for Change

Ver.

Resp.

Nov 2014

Minor changes

Defects resolved

1.10

LB

Jan 2015

Release updates

Updates for 7.1-24

1.11

LB

Sep 2015

Release updates

Updates for 7.1-30

3.0

LB

Nov 2015

Minor updates

Enhancements made

4.0

LB

Jan 2016

Minor updates

Updated Copyright Notices

5.0

LB

Mar 2016

Release updates

Updates for 7.1-34

6.0

LB

July 2016

Release updates

Updates for 7.1.35

7.0

LB

Jan 2017 Release updates Updates for 7.2.37 8.0 LB

 

Was this article helpful?

0 out of 0 found this helpful

Comments