Best Practices Cipher Set Updated

This article relates to LoadMaster firmware version 7.2.52.

In LoadMaster firmware version 7.2.52, the BestPractices cipher set was updated. The cipher set is now based on the recommendations provided in the Use Secure Cipher Suites section of the following SSL Labs article: SSL and TLS Deployment Best Practices.

A summary of the changes is below:

  • All "DHE" ciphers removed

  • All "SHA" ciphers removed

  • CHACHA20-POLY1305 ciphers added

If you upgrade from a previous firmware version to 7.2.52, the changes to the BestPractices cipher set happen immediately and will affect all Virtual Services using the BestPractices cipher set. If you want to retain your current list of ciphers after upgrading, you can create a custom cipher set before upgrading and applying that cipher set instead of the system-defined BestPractices cipher set. You can do this if needed, but Kemp recommends using the latest system-defined BestPractices cipher set.

The table below details the changes to the BestPractices cipher set in version 7.2.52:

Carried Forward

Added

Removed

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-ECDSA-CHACHA20-POLY1305

DHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-GCM-SHA384ECDHE-RSA-CHACHA20-POLY1305DHE-DSS-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256
ECDHE-ECDSA-AES256-SHA384 DHE-DSS-AES256-SHA
ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-SHA
ECDHE-ECDSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256 DHE-DSS-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256 DHE-RSA-AES128-SHA256
  DHE-RSA-AES128-SHA
  DHE-DSS-AES128-SHA256
  ECDHE-RSA-AES256-SHA
  ECDHE-ECDSA-AES256-SHA
  ECDHE-RSA-AES128-SHA
  ECDHE-ECDSA-AES128-SHA

For further information on SSL in general, refer to the Long Term Support (LTS) SSL Accelerated Services Feature Description.

Was this article helpful?

0 out of 0 found this helpful

Comments