Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

How to get a Score of 100 on SSL labs

 

Information

 

Summary:

How to get the highest score/rating on SSL labs for cipher strength.

Environment:

Product: LoadMaster

Version:7.2.57

Platform:

Application:

Question/Problem Description:

Strengthening the ciphers on a Virtual Service (VS) to give the highest score on SSL labs.

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause:

The default settings on an SSL offloaded VS will give an "A" rating with a protocol strength of 100 and a cipher strength of 90 when using TLS 1.2/1.3 only and best practices cipher suite. See image below

screen_shot_of_high_security_ciper_result_with_128bit_enabled_on_TLS1.3.png

Resolution:

By Adjusting the Cipher list it is possible to secure a 100 score for ciphers on SSL labs.

Please note that with security settings this high some older client Operating System's (OS's) and Applications may not be able to connect to the virtual service. As always balance security with availability for the service.

 

Go to "Certificates & Security -> Cipher Sets"

Filter by "Best Practices" cipher set

cipher_set_selection.png

Remove ciphers from the current “Best Practices” cipher list until the following 5 are all that remains:

  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-CHACHA20-POLY1305
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-CHACHA20-POLY1305

 

Then save as new cipher set as: "BestPracticesHIGH"

save_as_BestPracticesHIGH.png

 

Then apply that cipher set to a virtual service that is offloaded/re-encrypted under SSL properties.

SSL_properties_assign_best_practices_high_cipher_set.png

 

Then Deselect the three 128bit ciphers under TLS 1.3 settings

Deselect:

  • TLS_AES_128_CCM_8_SHA256
  • TLS_AES_128_CCM_SHA256
  • TLS_AES_128_GCM_SHA256

deselect_the_three_128bit.png

 

Now run the SSL labs test again and it should now have 100 as the score for Cipher Strength.

screen_shot_of_high_security_ciper_result_with_128bit_disabled_on_TLS1.3.png

Workaround:  
Notes:

SSL Accelerated Service:

https://support.kemptechnologies.com/hc/en-us/articles/6263740012301-SSL-Accelerated-Services

 

 


Comments