AnsweredAssumed Answered

How to get IE8-10/Win7 FS support recognized in the "reference browser" simulations

Question asked by dar9 on May 7, 2015
Latest reply on May 8, 2015 by Matthew Wolfe

Recently I had my server upgraded to get a better Qualys score (getting a "B", mainly because I've chosen to still support RC4, for now, but that's not the issue). The Qualys scan indicates: "The server does not support Forward Secrecy with the reference browsers". In checking this out, I see that under the "handshake simulation" section, the only "reference" browser (browsers marked with an "R") that shows up as "No FS" is IE 8-10/Win7,which shows on the scan's simulation list as follows:

IE 8-10 / Win 7  R TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   No FS

So, I assume this one IE simulation is the only reason I'm getting the "does not support FS on reference browsers" message.  My problem is that I don't understand why the IE8-10 simulation is coming up as "no FS", and showing a non-FS key exchange (TLS_RSA),  given the following observations (the info below suggests to me that my server does offer the needed ECDHE option for IE8-10/Win7 for FS):

 

When I check the Qualys "user agent capabilities" page for IE8-10/Win 7, I see that the first preferred forward secrecy cipher is this:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   Forward Secrecy

 

And then, when I check the Cipher Suites list (no order preference) from this same scan, I see that this same cipher ( TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH 256 bits (eq. 3072 bits RSA)   FS ) is on the list of what my server is apparently offering, which seems to match the IE8-10 FS cipher shown above from the "capabilities" page.

 

My server is running apache 2.4, with the following settings:

 

SSLCipherSuite: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH  (chosen since this is the default for "PCI compliance", as I understand it -- but I'm open to changing this)

 

SSLProtocol: All -SSLv2 -SSLv3

 

Protocols, as shown on the scan:

TLS 1.2 Yes

TLS 1.1 Yes

TLS 1.0 Yes

SSL 3 No

SSL 2 No

 

So, I'm trying to understand what I need to change to make IE8-10/Win 7 FS work in the simulation so that I can be rated as having FS support for all the current Qualys "reference browsers".

 

Any insights appreciated. Thanks.

Outcomes