Security Stuffs

Getting an A+ on SSL Labs with F5 and StartSSL

So you have some free certificates from StartSSL.com for your F5 BIG-IP lab and want to get an A+ with SSL Labs?  Don’t be scared.  It’s actually pretty easy.  I’m working under the assumption that you already have a Client SSL Profile built and working.  If not, go back to the google and dig that up.  Having just gone through this, I ran into a couple of small but annoying problems.

Problem 1:  The intermediate certificates are signed with SHA1.  Terrible.  This will cap you at an A.  I know, you’re an over-achiever and getting an “A” might as well be an “F”.  You gotta have the “A+”.  I’m with you..  Clicking this link will retrieve a PEM encoded SHA2 signed intermediate certificate.  Save it.  Upload it to your BIG-IP.  Change your Client SSL Profile.  Rejoice that you’ve overcome this minor annoyance.

Problem 2:  Client Renegotiation.  This isn’t really that big of a problem, but it will be noted during the testing.  Default Client SSL Profiles have “Renegotiation” turned on.  One might be tempted to believe that it’s ANY renegotiation, but really it’s Client Initiated Renegotiation.  From the BIG-IP help menu:

Controls on a per-connection basis how the system responds to mid-stream SSL reconnection requests.  Blah blah blah other stuffs..

Why doesn’t it say “Enables/Disables Client Initiated Renegotiation” is anyone’s guess.. SSL labs thinks it could be used for a DOS, which it normally could be.  The BIG-IP has a mitigation technique that only allows so many client initiated renegotiation requests per client / minute. There isn’t really a way to signal back to the testing script to let it know we have it covered, though. Leave it on and see the message or turn it off.  Whatever.

Problem 3:  The DEFAULT cipher string is a little too permissive for the SSL Labs testing.  It’s good, mind you.  You could still get an “A” but you might as well wear a sign that says “I’m a Quitter!”.  There are a bunch of good articles about this on DevCentral.  Here and here and here and others I’m sure.  On code release 11.6, I settled on the following (Copied from one of the linked articles.. Go Internet!):

DEFAULT:!RC4:ECDHE:AES-GCM:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!ADH-AES256-GCM-SHA384:!ADH-AES128-GCM-SHA256:!AES256-SHA256:!AES256-SHA:@STRENGTH

EDIT – May 5th, 2015

While at a customer site walking them through getting an A+ rating, it was brought to my attention that I had been downgraded to an A.  Many tears were shed, but in the end all was well.  The new cipher string:

!EXPORT:!DH:!MD5:!SSLv3:!DTLSv1:ECDHE_ECDSA+AES-GCM:ECDHE_ECDSA+AES:ECDHE_ECDSA+3DES:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES:RSA+3DES

Problem 4:  Enable HSTS.  Again, pretty easy to over come.  Just create an iRule to insert the header and apply to the virtual server.  You might or might not want to use the “include sub-domains” option.  I can’t because I’m lazy.  (Yes, I own an “I’m a Quitter!” sign).  My iRule looks like this:

when HTTP_RESPONSE {
    HTTP::header insert Strict-Transport-Security "max-age= 31536000"
    HTTP::header insert "X-FRAME-OPTIONS" "SAMEORIGIN"
}

After fixing these few things I was presented with my Certificate of Achievement from SSL Labs:

SSL Labs Results

Disclaimers: I work for F5. I am not your security consultant. If this helps you, sweet. If you burn down your datacenter, lose an arm, or have hackers from $country break into your stuff and steal your things while doing a victory dance on your corpse, well, you're on your own.

One thought on “Getting an A+ on SSL Labs with F5 and StartSSL

Leave a Reply

Your email address will not be published. Required fields are marked *