AnsweredAssumed Answered

Why the Grade is capped down to B from A+ when weak ciphers are removed?

Question asked by Meshach M on Jul 11, 2019
Latest reply on Jul 13, 2019 by Lily Wilson

Initially, when tested with ssllabs, overall rating was given A+. Under Cipher suites it showed all the ciphers with CBC and TLS_RSA as weak. I know that these are considered weak.

# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp256r1 (eq. 3072 bits RSA)   FS128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp256r1 (eq. 3072 bits RSA)   FS256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK256

 

But when the below cipher suites are removed, the Grade is capped down to B.

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK256

 

The reason mentioned was "This server does not support Forward Secrecy with the reference browsers. Grade capped to B"

Grade B after removing weak cipher suites

Why is it so?

When there are two suites (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp256r1 and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp256r1) which have Forward Secrecy has been implemented, why SSL Labs is stating that the server does not support forward secrecy?

Why the grade is capped down when weak ciphers (as mention by SSL labs) are removed?

 

Kindly let me know the reasons

Outcomes