Hello Qualys -

I am trying to get a better understanding of what it takes to pass or fail the AEAD Cipher test besides the short blog that was posted in February.. Do you have a sample of ciphers that will pass for each windows server? Windows 2008, 2012, and 2016.

Last Question -

Can you please tell me why the following cipher suite does not pass?

# TLS 1.2 (suites in server-preferred order) | ||

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (`0xc028` ) ECDH secp521r1 (eq. 15360 bits RSA) FS | 256 | |

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (`0xc014` ) ECDH secp521r1 (eq. 15360 bits RSA) FS | 256 | |

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (`0xc027` ) ECDH secp521r1 (eq. 15360 bits RSA) FS | 128 | |

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (`0xc013` ) ECDH secp521r1 (eq. 15360 bits RSA) FS | 128 | |

none of those that you listed are AEAD cipher suites.

Windows Server 2016 supports the following AEAD cipher suites:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_GCM_SHA256

Windows Server 2008 R2 through 2012 R2 support the following AEAD cipher suites:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_GCM_SHA256

Windows Server 2008 does not support any AEAD cipher suites.