F5 SSL Offloading - Performance Improvement Using @SPEED

After analyzing a few applications suffered by low SSL negotiation speeds and rankings for the past few months would like to share some tips on how to modify the F5 client SSL cipher string to enhance the SSL negotiation speeds and rankings without any client impact.

A common reason behind low SSL rankings and performance

While analyzing a number of sites with low SSL rankings and performance a common reason which appeared was "This server does not support Forward Secrecy with the reference browsers".

A ssllabs.com output captured from a low performing SSL site shows RSA based ciphers were preferred as the first server preferred choice for key exchange and ECDHE based ciphers which support forward secrecy was considered as the second choice.

Image. 1. Cipher order with RSA based ciphers preferred as the first choice

Improving SSL rankings and performance without application impacts

To improve the SSL rankings and performance a cipher reordering should be required which will prioritize the forward secrecy supporting ECDHE based ciphers as the first choice of negotiation.

The prioritization of ECDHE can be done by adding the @SPEED keyword at the end of the client-ssl profile cipher suite.

Example - DEFAULT:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:!ADH:!SSLv3:@SPEED

Cipher Suite comparison before and after adding @SPEED

Image. 2. Cipher order comparison before and after adding @SPEED

Performance Improvement

Web page load time comparison was conducted before and after the cipher reordering using @SPEED results in a +30% performance gain after the reordering.

Image. 3. Web page load time comparison before and after the reordering

Conclusion

During application and web page HTTPS configurations it's important to put a focus on the server preferred cipher order. By ordering them based on security and speed will result in enhanced performance optimization.