Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

How to get an A+ Rating with SSL Labs?

The time of this writing, the current firmware was 7.2.49.1

To Achieve an A or A+ rating from SSL Labs while using the LoadMaster's SSL acceleration function first requires downloading and applying the latest firmware version. This prevents the latest protocol attacks and addressed critical vulnerabilities. See LoadMaster Release Notes.

The latest firmware can be downloaded from the Downloads section of the KEMP Support site: https://support.kemptechnologies.com/hc/en-us/sections/200428766-Firmware-Downloads.

Note: You must be logged into the Support site in order to see the Downloads section.

In general, there four main components that determine the strength of a given site's SSL implementation: Certificate, Protocol Support, Key Exchange, and Cipher Strength.

Certificates

Ensure that your Certificate has been issued by an Authorized Certificate Authority.

SSL Chain Issues in an SSL Lab report means that there is a missing Intermediate Cert from your LoadMaster . To resolve this chain issue, it requires to upload and apply an Intermediate Cert from your Certificate Authority's (CA) website to your LoadMaster. From more information SSL Certificate Chain Issues.

Steps on how to upload your certificate to the LoadMaster can be found here.

Steps on how to upload your intermediate certificate to the LoadMaster can be found here.

Protocol Support

Disable SSLv3, TLS1.0 and TLS1.1.  So now only TLS1.2 and TLS1.3 will be on.

Enable Require SNI Hostname(Recommended)

Key Exchange and Cipher Strength

The BestPractices Cipher Set is the recommended cipher set to use. In your Virtual Service configuration, expand the SSL Properties section and select the BestPractice cipher set.

Refer to the following article for detailed steps on how to enable the BestPractices cipher set: How Do I Enable BestPractices Cipher Set?

Here is the list of ciphers in the BestPractices Cipher Set (as of writing):

1. ECDHE-RSA-AES256-GCM-SHA384

2. ECDHE-ECDSA-AES256-GCM-SHA384

3. DHE-DSS-AES256-GCM-SHA384

4. DHE-RSA-AES256-GCM-SHA384

5. ECDHE-RSA-AES256-SHA384

6. ECDHE-ECDSA-AES256-SHA384

7. ECDHE-RSA-AES256-SHA

8. ECDHE-ECDSA-AES256-SHA

9. DHE-RSA-AES256-SHA256

10. DHE-DSS-AES256-SHA

11. DHE-RSA-AES256-SHA

12. ECDHE-RSA-AES128-GCM-SHA256

13. ECDHE-ECDSA-AES128-GCM-SHA256

14. DHE-RSA-AES128-GCM-SHA256

15. DHE-DSS-AES128-GCM-SHA256

16. ECDHE-RSA-AES128-SHA256

17. ECDHE-ECDSA-AES128-SHA256

18. ECDHE-RSA-AES128-SHA

19. ECDHE-ECDSA-AES128-SHA

20. DHE-RSA-AES128-SHA256

21. DHE-RSA-AES128-SHA

22. DHE-DSS-AES128-SHA256

Note: This list of ciphers provides the greatest compatibility while still maintaining an A rating. However, Windows XP clients using Internet Explorer 6 will not be able to connect. If this is a necessity, re-enable SSLv3.

HSTS (HTTP Strict Transport Security)

To get the 'A+' rating, SSL Labs requires you to be using HSTS. Please refer to this document in order to add HSTS to your Virtual Service: HTTP Strict Transport Security


Was this article helpful?
0 out of 0 found this helpful

Comments

Avatar

Shared Solutions NYSDOH

Good article, but you should include the date published since the reader has no way of knowing how stale the information is.

0

Avatar

user user

Thank you for your feedback. One quick way to examine the relevance of the information would be to see the firmware version referenced in the article. But with that said we will work on putting a published date as you suggested.

0

Avatar

Justin Yaple

I found this list to work much better to get an A+ rating on SSL Labs.

'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA256:AES256-SHA:AES128-SHA'

0