Qualys SSL-Labs rating (A+,A, A-,B,C)

Qualys SSL-Labs rating (A+, A, A-, B, C, etc.)

Written by
Samir Jha
Jha.Samir@yahoo.com
Please comments if anything missed. Continuous Improvement is Key to Network Security.
 Qualys SSL-Labs rating (A+,A, A-,B,C)

Qualys SSL-Labs Reports rating (A+, A, B, C)

Every day we are all are fighting against application security, database security and so on. As the security
of the network matures, our aim is to push forward and make the requirements for stricter. This process of
continuous improvement is what really matters to us.

According to Qualys SSL pulse reporting, over 40% web application sites have configurations that can be
considered good (A, B ratings) and 3% websites get A+ ratings. So our goal with the design of grading
criteria is to push the number of A+ sites up. Application delivery controller ( F5 ADC) has ability to fine
tune your application setting & achieve good ratings.

Methodology Overview
Our approach consists of four steps:

We first look at a certificate to verify that it is valid and trusted.

We inspect server configuration in three categories:
Protocol support
Key exchange support
Cipher support

How to get Qualys SSL-Labs "A" rating?

We believe your application is hosted behind F5 Load balancer. You need to change client SSL profile
setting to achieve A ratings.

Exclude DHE based algorithms

Prefer ECDHE based algorithms

Cipher-List (for v11 and v12):

!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-
GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:-MD5:-SSLv3:-
RC4:@STRENGTH
 Qualys SSL-Labs rating (A+,A, A-,B,C)

How to achieve a Qualys SSL-Labs "A+" rating

To archive an "A+" rating you need to add HTTP Strict Transport Security (HSTS) iRule with Load
balancer VIP. It has designed to protect domains against both downgrade and passive network attacks.
when HTTP_RESPONSE {
HTTP::header insert "Strict-Transport-Security" "max-age=15552000"
}

Include below cipher in client SSL profile

Cipher List (V11 & V12)

!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-
GCM:RSA+AES:-MD5:-SSLv3:-RC4:!3DES

Note: To maintain your website A / A+ grade in the future, you have to change your supported cipher
suites once again, so that every DES based algorithm gets either completely removed (this may have a
compatibility impact) or at least gets placed at the very bottom of the Cipher Suite list.
SSL LAB Test
 Qualys SSL-Labs rating (A+,A, A-,B,C)

https://www.ssllabs.com/ssltest/index.html