Getting an A or A+ rating from SSL Labs while using the LoadMaster's SSL acceleration function, first requires the latest LoadMaster firmware. The latest firmware can be downloaded from the Downloads section of the KEMP Support site: http://support.kemptechnologies.com.
Note: You must be logged into the Support site in order to see the Downloads section.
In general, there four main components that determine the strength of a given site's SSL implementation: Certificate, Protocol Support, Key Exchange and Cipher Strength.
In order to prevent protocol downgrade attacks, the "TLS_FALLBACK_SCSV" flag is used in firmware version 7.1-24 and later.
SSLv3 should be disabled. To disable SSLv3 - go to the Virtual Service modify screen in the LoadMaster WUI, expand the SSL Properties section and enable the Support TLS Only option.
Also, the list of Ciphers used must be modified. In the SSL Properties section, select the ciphers below to be used.
Note: The order of the ciphers below is important.
ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-DSS-AES256-SHA256 DHE-DSS-AES256-SHA DHE-DSS-AES128-SHA256 DHE-DSS-AES128-SHA EDH-DSS-DES-CBC3-SHA AES256-SHA256 AES256-SHA AES128-SHA256 AES128-SHA DES-CBC3-SHA
This list of ciphers provides the greatest compatibility while still maintaining an A rating. However, Windows XP clients using Internet Explorer 6 will not be able to connect. If this is a necessity, re-enable SSLv3.