SSL Security Settings


What are the current recommended SSL-Settings on the KEMP Loadbalancer ?
SSL3 has problems with man in the middle attacks.
Could there be any negative effects on the Exchange 2013 environment
when I disable SSL-renegotiation on the loadmaster ?

1 comment

Christian Scheller Official comment

Hello Daniel,

the current recommendation is to only use Elliptic Curve Diffie-Helman Ciphers, recognizable by the letters "ECDH" at the beginning. In addition, please make sure to use the latest firmware. Regarding SSL negotiation, once you're sure what ciphers the CAS server would accept it is safe to only use the one indicated by a test. In order to find that out, you can make use of the openssl suite by executing the following command:

openssl s_client connect mycasserverip:443 -showcerts -debug

This would show you the valid connection parameters the CAS server is running with. You can then adapt to it.