Get an A+ Rating on SSL labs for your VIP

0

Getting an A rating on SSL labs with an SSL offloaded or Re-encrypted service on the LoadMaster is a simple procedure. Navigate to the virtual service then expand SSL properties, Disable SSLv3, TLS 1.0, and TLS 1.1 and then use the drop down list to select the best practices cipher set.

For those who want a bit tighter security you can adjust your settings as follows to get an A+ rating

Enable TLS 1.2 and TLS 1.3 only (This will still work with only TLS 1.2 enabled)

Enable require SNI hostname (Recommended)

Ensure that you have the proper intermediate certificates installed on the LoadMaster, adding the root cert may bring the following error in the SSL scan regarding the certificate chain “Contains anchor” However this should not stop you from getting an A+ rating.

Create and apply the following content rule to add the HSTS – Strict-Transport-Security Header as a “Request Rule” to the Virtual Service under

Advanced Properties -> HTTP Header Modifications

 

The rule can be created under Rules & Checking -> Content rules.

Rule Type: Add Header

Header Field to be Added: Strict-Transport-Security

Value of Header Field to be Added: max-age=31536000; includeSubDomains

 

For more information please see this link below.

https://support.kemptechnologies.com/hc/en-us/articles/360004854192-How-to-get-an-A-Rating-with-SSL-Labs-

3 comments

Avatar
0
jb

Hi Mark,

 

Are you still able to get an A+ rating? I've been searching but I'm unable to get there at the moment. (already using updated cyphersets from https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices) 

Avatar
0
dfollis

You should update.  TLS 1.1 enabled will prevent the optimal rating.  I think some of the cipher sets needs to be removed from the above list also.

Avatar
0
Nick Smylie

Hi @dfollis

You are correct.  I am going to work on getting this updated ASAP.  Thanks for the feedback!