Cipher Set

Select the cipher set to view/modify.

The system-defined cipher sets are as follows:

  • Default: The cipher set that is configured on the LoadMaster on a fresh installation. This cipher set is geared towards backwards compatibility with previous releases of the LoadMaster.
  • Default_NoRc4: A more secure version of the default set that does not contain any RC4 ciphers, which are considered to be insecure on modern networks.
  • BestPractices: This is the recommended cipher set to use on the LoadMaster and it is updated occasionally to reflect the current industry best practices. It does not include older and legacy cipher sets which may be required by older browser and application deployments. The last update to the BestPractices set was made in LoadMaster version 7.2.60.0. Please see the LoadMaster Release Notes for more information.
  • Intermediate_compatibility: This cipher set includes some ciphers that are required by older browser and service implementations that are still seen in the field.
  • Backward_compatibility: This cipher set provides maximum backward compatibility for clients back to Windows XP/IE6 at the risk of using less secure ciphers.
Note: The Backward_compatibility cipher set should be used as a last resort only.
  • WUI: This is the default cipher set used by the administrative user interface. It can be changed by using the controls under Certificates & Security > Admin WUI Access.
  • FIPS: This set contains only ciphers that conform to Federal Information Processing Standards (FIPS) 140-2 level 1 standard and should be used only in those deployments that require it.
  • Legacy: This cipher set is provided solely for upgrade compatibility for legacy LoadMaster firmware versions (v7.0-10 and previous). After upgrade to a modern version of LoadMaster, it is recommended to choose a more secure cipher set.
  • Null_Ciphers: This cipher set contains what are called 'null ciphers', which do not provide any cryptographic protection, but rather depend on the application to provide it. In general, use these ciphers only if required by the application and if that application provides independent cryptographic protection.

  • ECDSA_Default: This cipher set includes only cipher sets that use elliptical curve cryptography and is recommended for those deployments that require EC cryptography.

  • ECSDA_BestPractices: This is a modified version of the ECDSA_Default set that includes only those ciphers that conform to the Common Criteria standards.

To find out what ciphers are in each cipher set, go to Certificates & Security > Cipher Sets. Select the relevant Cipher Set.

Note: Progress Kemp reserves the right to change the contents of these cipher sets at any time in response to changes in industry security standards and best practices.

Two lists are displayed – Available Ciphers and Assigned Ciphers. These lists can be filtered by typing some text into the Filter text boxes provided. The Filter text boxes will only allow you to enter valid text which is contained in the cipher names, for example ECDHE. If invalid text is entered, the text box will turn red and the invalid text is deleted.

Ciphers can be dragged and dropped to/from the Available and Assigned lists as needed. Ciphers which are already assigned will appear grayed out in the Available Ciphers list.

Changes cannot be made to a pre-configured cipher set. However, you can start with a pre-configured cipher set – make any changes as needed and then save the cipher set with a new custom name. Enter the new name in the Save as text box and click the Save button. Custom cipher sets can be used across different Virtual Services and can be assigned as the WUI cipher set.

Note: When you create or modify a custom cipher set, the LoadMaster restarts the SSL services to apply the updated configuration. As part of this process, all affected Virtual Services are temporarily stopped and restarted.

This behavior is expected and can cause a brief interruption to client connections while the configuration change is applied. To minimize impact in production environments, we recommend:

  • Creating and testing new cipher sets on a non‑production LoadMaster first.

  • Scheduling cipher set changes during a maintenance window.

It is not possible to delete pre-configured cipher sets. However, custom cipher sets can be deleted by selecting the relevant custom cipher set and clicking the Delete Cipher set button.