To achieve an A or A+ rating from SSL Labs while using the LoadMaster's SSL acceleration function, first you must download and apply the latest firmware version. This prevents the latest protocol attacks and addresses critical vulnerabilities. Refer to the LoadMaster Release Notes for further details.

The latest firmware can be downloaded from the following page: LoadMaster Downloads.

In general, there four main components that determine the strength of a given site's SSL implementation: certificate, protocol support, key exchange, and cipher strength.

Certificates

Ensure that your certificate has been issued by an authorized Certificate Authority (CA).

SSL chain issues in an SSL Labs report means that there is a missing intermediate certificate from your LoadMaster. To resolve this chain issue, you must upload and apply an intermediate certificate from your CA's website to your LoadMaster. From more information, refer to the How to Troubleshoot SSL Certificate Chain Issues section.

For step-by-step instructions on how to upload your certificate to the LoadMaster, refer to the Adding an SSL Certificate section.

For step-by-step instructions on how to upload your intermediate certificate to the LoadMaster, refer to the Importing Intermediate Certificates section.

Protocol Support

In the SSL Properties section of your Virtual Services, disable SSLv3, TLS1.0, and TLS1.1 as Supported Protocols. So, only TLS1.2 and TLS1.3 are enabled.

Enable Require SNI Hostname

We recommend enabling the Require SNI hostname check box in the SSL Properties section of the Virtual Service modify screen.

Key Exchange and Cipher Strength

We recommend selecting the BestPractices Cipher Set in the SSL Properties section of the Virtual Service modify screen. This cipher set is for services that do not require backward compatibility. This cipher set provides the greatest compatibility while still maintaining an A rating. However, Windows XP clients using Internet Explorer 6 will not be able to connect. If this is necessary, re-enable SSLv3.

HSTS (HTTP Strict Transport Security)

To get the A+ rating, SSL Labs requires you to use HSTS. Refer to the following Knowledge Base article to add HSTS to your Virtual Service: HTTP Strict Transport Security.