The LoadMaster supports SSLv3, TLS1.0, TLS1.1, TLS1.2, and TLS1.3.

Ciphers define how the data stream is encrypted. The LoadMaster supports ciphers supporting perfect forward secrecy and Elliptic Curve.

Each Virtual Service (which has SSL Acceleration enabled) has a cipher set assigned to it. This can either be one of the system-defined cipher sets or a user-customized cipher set. The system-defined cipher sets can be selected to quickly and easily select and apply the relevant ciphers.

A cipher set also needs to be assigned to the LoadMaster WUI. To set the WUI cipher set, go to Certificates & Security > Admin WUI Access.

Note: CHACHA20-POLY1305 ciphers are given special preference when they appear in both the client and LoadMaster cipher lists. If these ciphers appear at the top of the client preference list, the LoadMaster will prioritize using CHACHA20-POLY1305 ciphers for the connection, regardless of the position of these ciphers in the LoadMaster’s cipher list.

The system-defined cipher sets are as follows:

  • Default: The cipher set that is configured on the LoadMaster on a fresh installation. This cipher set is geared towards backwards compatibility with previous releases of the LoadMaster.
  • Default_NoRc4: A more secure version of the default set that does not contain any RC4 ciphers, which are considered to be insecure on modern networks.
  • BestPractices: This is the recommended cipher set to use on the LoadMaster and it is updated occasionally to reflect the current industry best practices. It does not include older and legacy cipher sets which may be required by older browser and application deployments. The last update to the BestPractices set was made in LoadMaster version 7.2.60.0. Please see the LoadMaster Release Notes for more information.
  • Intermediate_compatibility: This cipher set includes some ciphers that are required by older browser and service implementations that are still seen in the field.
  • Backward_compatibility: This cipher set provides maximum backward compatibility for clients back to Windows XP/IE6 at the risk of using less secure ciphers.
Note: The Backward_compatibility cipher set should be used as a last resort only.
  • WUI: This is the default cipher set used by the administrative user interface. It can be changed by using the controls under Certificates & Security > Admin WUI Access.
  • FIPS: This set contains only ciphers that conform to Federal Information Processing Standards (FIPS) 140-2 level 1 standard and should be used only in those deployments that require it.
  • Legacy: This cipher set is provided solely for upgrade compatibility for legacy LoadMaster firmware versions (v7.0-10 and previous). After upgrade to a modern version of LoadMaster, it is recommended to choose a more secure cipher set.
  • Null_Ciphers: This cipher set contains what are called 'null ciphers', which do not provide any cryptographic protection, but rather depend on the application to provide it. In general, use these ciphers only if required by the application and if that application provides independent cryptographic protection.
  • ECDSA_Default: This cipher set includes only cipher sets that use elliptical curve cryptography and is recommended for those deployments that require EC cryptography.
  • ECSDA_BestPractices: This is a modified version of the ECDSA_Default set that includes only those ciphers that conform to the Common Criteria standards.

To find out what ciphers are in each cipher set, go to Certificates & Security > Cipher Sets. Select the relevant Cipher Set. Two lists are displayed – Available Ciphers and Assigned Ciphers. These lists can be filtered by typing some text into the Filter text boxes provided. The Filter text boxes will only allow you to enter valid text which is contained in the cipher names, for example ECDHE. If invalid text is entered, the text box will turn red and the invalid text is deleted.

Ciphers can be dragged and dropped to/from the Available and Assigned lists as needed. Ciphers which are already assigned will appear grayed out in the Available Ciphers list.

Note: Progress Kemp reserves the right to change the contents of these cipher sets at any time in response to changes in industry security standards and best practices.

Clicking the Modify Cipher Set button in the SSL Properties section in the Virtual Service modify screen will bring you to the Cipher Set Management screen. This screen allows you to create new and modify existing custom cipher sets.

Note: When you create or modify a custom cipher set, the LoadMaster restarts the SSL services to apply the updated configuration. As part of this process, all affected Virtual Services are temporarily stopped and restarted.

This behavior is expected and can cause a brief interruption to client connections while the configuration change is applied. To minimize impact in production environments, we recommend:

  • Creating and testing new cipher sets on a non‑production LoadMaster first.

  • Scheduling cipher set changes during a maintenance window.

Starting with version 7.2.37, when re-encryption is enabled, the TLS version that can be negotiated between the LoadMaster and the Real Servers behind it are no longer constrained by the TLS version settings configured on the client side. All TLS versions and ciphers that are supported on the LoadMaster can be negotiated without restriction by Real Servers. In this way, the LoadMaster can, for example, provide strict security for client-side application access and still support server-side connections to legacy servers that only support specific, less secure, TLS versions, and ciphers. This is illustrated in the example below.

Server connections are only restricted by the configuration of the Real Servers, regardless of the TLS version selected on the client side. Each Real Server can be configured independently of the others. The LoadMaster negotiates connections according to the requirements of each Real Server.