To Achieve an A or A+ rating from SSL Labs while using the LoadMaster's SSL acceleration function first requires downloading and applying the latest firmware version 7.2-42. This prevents the latest protocol attacks and addressed critical vulnerabilities. See LoadMaster Release Notes.
The latest firmware can be downloaded from the Downloads section of the KEMP Support site: http://support.kemptechnologies.com.
Note: You must be logged into the Support site in order to see the Downloads section.
In general, there four main components that determine the strength of a given site's SSL implementation: Certificate, Protocol Support, Key Exchange and Cipher Strength.
Certificates
Insure that your Certificate has been issued by a Authorized Certificate Authority.
SSL Chain Issues in a SSL Lab report means that there is a missing Intermediate Cert from your loadmaster. To resolve this chain issue, it requires to upload and apply an Intermediate Cert from your Certificate Authority's (CA) website to your loadmaster. From more information SSL Certificate Chain Issues.
Steps on how to upload your certificate to the loadmaster can be found here.
Steps on how to upload your intermediate certificate to the loadmaster can be found here.
Protocol Support
SSLv3 is an old version of the security system protocol that is vulnerable to a number of known Vulnerablities. This is should be disabled Disabling SSLv3 Protocol.
Key Exchange and Cipher Strength
The BestPractices Cipher Set is the recommended cipher set to use. In your Virtual Service configuration, expand the SSL Properties section and select the BestPractice cipher set.
Refer to the following article for detailed steps on how to enable the BestPractices cipher set: How Do I Enable BestPractices Cipher Set?
Here is the list of ciphers in the BestPractices Cipher Set (as of writing):
1. ECDHE-RSA-AES256-GCM-SHA384
2. ECDHE-ECDSA-AES256-GCM-SHA384
3. DHE-DSS-AES256-GCM-SHA384
4. DHE-RSA-AES256-GCM-SHA384
5. ECDHE-RSA-AES256-SHA384
6. ECDHE-ECDSA-AES256-SHA384
7. ECDHE-RSA-AES256-SHA
8. ECDHE-ECDSA-AES256-SHA
9. DHE-RSA-AES256-SHA256
10. DHE-DSS-AES256-SHA
11. DHE-RSA-AES256-SHA
12. ECDHE-RSA-AES128-GCM-SHA256
13. ECDHE-ECDSA-AES128-GCM-SHA256
14. DHE-RSA-AES128-GCM-SHA256
15. DHE-DSS-AES128-GCM-SHA256
16. ECDHE-RSA-AES128-SHA256
17. ECDHE-ECDSA-AES128-SHA256
18. ECDHE-RSA-AES128-SHA
19. ECDHE-ECDSA-AES128-SHA
20. DHE-RSA-AES128-SHA256
21. DHE-RSA-AES128-SHA
22. DHE-DSS-AES128-SHA256
Note: This list of ciphers provides the greatest compatibility while still maintaining an A rating. However, Windows XP clients using Internet Explorer 6 will not be able to connect. If this is a necessity, re-enable SSLv3.