Recommended SSLCipherSuite for Gateway

I recently noticed that my lab Access Manager (Single Box Appliance) was no longer getting an "A" rating on SSL Labs.  I was using previously recommended settings of:

SSLHonorCipherOrder on

SSLProtocol TLSv1.1 +TLSv1.2

SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:ALL:!EDH

That SSL Cipher Suite is listed in an older thread on this forum.  These settings give a "B" rating. I found another cipher suite setting in the NAM docs under the Advanced Configuration section and they were even worse, they resulted in a "C" result.  

After some testing, I got an A+ with this:

SSLHonorCipherOrder on

SSLProtocol all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3

SSLCipherSuite HIGH:!aNULL:!MD5

Wondering what others are using? I'm not sure if anything (like older browsers) breaks with this.

Is there an official doc from NetIQ listing the recommended best settings?  I couldn't find anything.

Matt

  • Thanks a lot Matt for sharing the setting which is helpful for getting a A+ rating. In your setting you have remove the TLS 1.1 and using only TLSv 1.2. The above combination to get A+ is dynamic and changes. NAM team needs to make to be updated with new security setting.

    I will check with NAM team to verify your setting and update it in documentation.