(apologies if this has been already asked and I've failed to understand the answer)
If I deploy a Server 2012 R2 IIS website with TLS 1.1 and TLS 1.2 (only) enabled, I get an A. All of the Handshake Simulations use either TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256. There's a bunch of other ciphers (all in orange and labelled as 'WEAK') which don't appear to be used, but if I disable them and run the test again I end up with a B because I have no AEAD ciphers enabled.
Why am I being penalised for not providing AEAD ciphers if nobody appears to use them?