AnsweredAssumed Answered

Confused over PFS on the report

Question asked by Paul Gray on Jul 3, 2018
Latest reply on Jul 4, 2018 by Paul Gray

Hi all,

 

I've run a report against our VPN site (which only supports TLS1.2) and the report came back with the following ciphers being supported;

 

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp256r1 (eq. 3072 bits RSA)   FS256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 2048 bits   FS256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp256r1 (eq. 3072 bits RSA)   FS256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 2048 bits   FS256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK256

 

 

My understating is that the FS stands for Forward Secrecy and that these ciphers support with FS against them supports Forward Secrecy.

 

On the report, it also states that 'This server does not support Forward Secrecy with the reference browsers'.

 

Here's my confusion. Is it stating that the site doesn't support forward secrecy or that as the 2 specified weak ciphers (with RSA) can be used then, then the site only gets a B because the 2 are supported?

 

 

Thanks,

 

Paul

Outcomes