How do I get an A rating at SSL Labs?

Getting an A or A+ rating from SSL Labs while using the LoadMaster's SSL acceleration function, first requires the latest LoadMaster firmware. The latest firmware can be downloaded from the Downloads section of the KEMP Support site: http://support.kemptechnologies.com.

Note: You must be logged into the Support site in order to see the Downloads section.

In general, there four main components that determine the strength of a given site's SSL implementation: Certificate, Protocol Support, Key Exchange and Cipher Strength.

In order to prevent protocol downgrade attacks, the "TLS_FALLBACK_SCSV" flag is used in firmware version 7.1-24 and later.

SSLv3 should be disabled. To disable SSLv3 - go to the Virtual Service modify screen in the LoadMaster WUI, expand the SSL Properties section and enable the Support TLS Only option. 

Also, the list of Ciphers used must be modified. In the SSL Properties section, select the ciphers below to be used.

Note: The order of the ciphers below is important.

ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
DHE-DSS-AES256-SHA256
DHE-DSS-AES256-SHA
DHE-DSS-AES128-SHA256
DHE-DSS-AES128-SHA
EDH-DSS-DES-CBC3-SHA
AES256-SHA256
AES256-SHA
AES128-SHA256
AES128-SHA
DES-CBC3-SHA


This list of ciphers provides the greatest compatibility while still maintaining an A rating. However, Windows XP clients using Internet Explorer 6 will not be able to connect. If this is a necessity, re-enable SSLv3.

Was this article helpful?

2 out of 2 found this helpful

Comments

Avatar
Alan.McBurney

Configuring a loadmaster using the above recommendation will receive a B grading from SSL Labs.

DHE-RSA-AES128-SHA256 must be removed in order to get an A

Avatar
Jonathan Kopf

Thank you for your feedback. As always security is a moving target. The article has been updated to reflect the new cipher suite list with the now offending cipher removed.

Avatar
mikenorton

DHE is NOT an "offending cipher suite." Having DHE enabled is NOT what triggers the B grade. What triggers the B grade is a POOR IMPLEMENTATION of DHE, which Kemp LoadMasters are guilty of but Kemp refuses to address. If DHE were implemented securely, you'd still get an A grade. See my comment on https://support.kemptechnologies.com/hc/en-us/articles/205206775-Logjam-CVE-2015-4000 and my much earlier post at https://support.kemptechnologies.com/hc/communities/public/questions/202211469-Weak-DH-parameters-with-cipher-suites-that-use-DHE-key-exchange

Avatar
James Rago Global Support Manager

ECDHE (Elliptic Curve Ephemeral Diffie-Hellman) is specifically cited by the paper summarized at weakdh.org as the #1 recommendation to avoid all documented issues with "classic" DHE. ECDHE it is also a better performing key exchange algorithm. KEMP recommends that wherever possible customers configure their LoadMasters to use ECDHE cipher suites in preference to DHE cipher suites as client support should be equivalent.

For the rare corner cases (e.g., Java 6 without ECC provider, custom clients) where PFS (Perfect Forward Security) is desired and ECDHE is not supported, version 7.1-30 of our LoadMaster firmware will offer configurable DHE bit-length selection, up to 2048-bit. We expect to have this available in a future release.

Avatar
christoph.ender

I found that for the given set of ciphers Chrome on Windows 7 complains about an obsolete cipher suite. Adding ECDHE-RSA-AES128-GCM-SHA256 to the top of the list solved this problem for me (we're not using an ECDSA key, for these kind of certificates ECDHE-ECDSA-AES128-GCM-SHA256 should already cover this, but I'm not able to test it).

Avatar
john.stacey

I too found that Google Chrome gives an obsolete cipher suite message using the list recommended above despite the 'A' rating at SSL Labs. I changed my list to:
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
DHE-DSS-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-DSS-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
DHE-DSS-AES128-SHA256
DHE-DSS-AES256-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES256-SHA
DHE-DSS-AES128-SHA
DHE-DSS-AES256-SHA
EDH-DSS-DES-CBC3-SHA
AES128-SHA256
AES256-SHA256
AES128-SHA
AES256-SHA
DES-CBC3-SHA

Again order is important, I prefer ECDSA to RSA because of the smaller signatures required and ECDHE takes precedence over DHE due to computational power required, similarly AES128 is preferred over AES256 as it provides adequate security and uses less computational power. This order gives me the browser compatibility I need with an 'A' rating at SSL Labs and a modern cipher message in Chrome.

Avatar
operations

Hello,

One question... I was playing around with ciper sets, and now I have ended up with some unnecessary sets. How can I delete them?

Thanks

Avatar
Mike Peters
I just upgraded to 7.1-30-75.20150929-0318 (the latest GA version) and I'm still only getting 90% for Key Exchange at SSL Labs. Everything else is at 100%. This yields an A rating, but our competition is touting an A+ rating. How do I resolve this with the load balancer.
Avatar
alexandre.giraud

Hi, and what about "Session resumption". In SSL Labs, still saying no support and mak it as 'orange'. not really a big security issue, but for manager it's more easy to give a full green report !

Avatar
it

As of now, this list receives a F rating due to the CVE-2016-2107 Padding Oracle vulnerability. Is there an updated list somewhere to mitigate this failure?

Edited by it
Avatar
mikenorton

If you want to mitigate CVE-2016-2107 by changing your cipher suites, then you need to disable all AES-CBC suites, but that will have implications for client compatibility. You might be better off upgrading your LM to version with fixed OpenSSL. Kemp has a separate article about CVE-2016-2107.

Avatar
it

The CVE-2016-2107 article is confusing because it lists the LM-3600 devices as being unaffected, but I assume all Kemp devices are?

Avatar
mikenorton

Why would you assume that? The article is pretty clear that only machines using Intel AES-NI instructions are affected. The underlying OpenSSL bug is in the part of the code that deals with AES-NI implementation. Anyway you are dragging this thread way off topic; it's kind of annoying.

Avatar
billing

What's the latest CIPER set to be used?

TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) ECDH secp256r1 (eq. 3072 bits RSA) FS INSECURE 128
TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE 128
TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE 128

Those are insecure according to SSL Labs.