Follow

How To Get A or A+ on Qualys SSL Labs

 

Description

Qualys SSL Labs can return B or a lower grade based on the cipher suites that are configured in the Front End SSL profiles.

This article will provide the configuration required on Silverline in order to achieve an A or A+ grade from Qualys SSL Labs scan.

  • Qualys uses Cipher Strength, Protocol, and Key Exchange to determine the grade

Environment

  • Silverline WAF
  • Silverline DDoS
  • Proxy/Proxies
  • SSL Certificate/SSL Frontend Profile/SSL Backend Profile
  • SSL Ciphers

 

Procedure

Important

It is your responsibility to run the Qualys SSL Labs scan and verify the rating. These are the SOC's best suggestions at this time, but Qualys may make changes to their ratings that are beyond SOC control. 

  1. Find the Front End SSL profile that is assigned for the desired proxy.
  2. Locate the SSL Profile under Config > Proxy & App Configuration > SSL Management > Front End SSL Profile
  3. Edit the SSL profile
  4. Select custom - Static from the drop down under SSL Cipher and update the cipher string to include only the following :
    • ECDHE-RSA-AES256-GCM-SHA384
      ECDHE-RSA-AES128-GCM-SHA256
      ECDHE-RSA-AES256-SHA384
      ECDHE-RSA-AES128-SHA256
    • Screen_Shot_2021-05-19_at_7.19.34_PM.png
      • The following ciphers are considered "Weak" by Qualys but will still grade as A and are not considered insecure. These ciphers are included to provide maximum compatibility.
        • ECDHE-RSA-AES256-SHA384 (TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 )
          ECDHE-RSA-AES128-SHA256 (TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 )
        • In order to remove the above weak ciphers, you may exclude from the cipher string and have the following ciphers :
          • ECDHE-RSA-AES256-GCM-SHA384 (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
            ECDHE-RSA-AES128-GCM-SHA256 (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
            Important note: These ciphers are not by default on backend - you need to add ECDHE+AES-GCM:
            !EXPORT:!DH:RSA+RC4:RSA+AES:RSA+DES:RSA+3DES:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:@SPEED
          • Screen_Shot_2021-05-19_at_7.26.45_PM.png
  5. Having high ciphers will only provide you A grade but in order to achieve A+
    • HTTP Strict Transport Security (HSTS) with long duration should be implemented
    • Silverline can achieve this by implementing an iRule via HSTS iRule
      • Please contact the SOC to configure the HSTS iRule 
  6. Run the Qualys SSL Labs scan and verify the rating

Grade A+

Screen_Shot_2020-07-24_at_9.45.24_PM.png

 

Grade A (with weak ciphers)

Screen_Shot_2020-07-24_at_9.45.37_PM.png

 

Related Content

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request