Best Practices Cipher Set Updated
This article relates to LoadMaster firmware version 7.2.52.
In LoadMaster firmware version 7.2.52, the BestPractices cipher set was updated. The cipher set is now based on the recommendations provided in the Use Secure Cipher Suites section of the following SSL Labs article: SSL and TLS Deployment Best Practices.
A summary of the changes is below:
All "DHE" ciphers removed
All "SHA" ciphers removed
CHACHA20-POLY1305 ciphers added
If you upgrade from a previous firmware version to 7.2.52, the changes to the BestPractices cipher set happen immediately and will affect all Virtual Services using the BestPractices cipher set. If you want to retain your current list of ciphers after upgrading, you can create a custom cipher set before upgrading and applying that cipher set instead of the system-defined BestPractices cipher set. You can do this if needed, but Kemp recommends using the latest system-defined BestPractices cipher set.
The table below details the changes to the BestPractices cipher set in version 7.2.52:
Carried Forward | Added | Removed |
|---|---|---|
ECDHE-ECDSA-AES256-GCM-SHA384 | ECDHE-ECDSA-CHACHA20-POLY1305 | DHE-RSA-AES256-GCM-SHA384 |
| ECDHE-RSA-AES256-GCM-SHA384 | ECDHE-RSA-CHACHA20-POLY1305 | DHE-DSS-AES256-GCM-SHA384 |
| ECDHE-RSA-AES256-SHA384 | DHE-RSA-AES256-SHA256 | |
| ECDHE-ECDSA-AES256-SHA384 | DHE-DSS-AES256-SHA | |
| ECDHE-RSA-AES128-GCM-SHA256 | DHE-RSA-AES256-SHA | |
| ECDHE-ECDSA-AES128-GCM-SHA256 | DHE-RSA-AES128-GCM-SHA256 | |
| ECDHE-RSA-AES128-SHA256 | DHE-DSS-AES128-GCM-SHA256 | |
| ECDHE-ECDSA-AES128-SHA256 | DHE-RSA-AES128-SHA256 | |
| DHE-RSA-AES128-SHA | ||
| DHE-DSS-AES128-SHA256 | ||
| ECDHE-RSA-AES256-SHA | ||
| ECDHE-ECDSA-AES256-SHA | ||
| ECDHE-RSA-AES128-SHA | ||
| ECDHE-ECDSA-AES128-SHA |
For further information on SSL in general, refer to the Long Term Support (LTS) SSL Accelerated Services Feature Description.