Qualys SSL Labs and AEAD cipher suites Notice
Question asked by David Jamell - February 8 at 8:08 AM
Unanswered
I know many of us use Qualys SSL Labs Test to setup and maintain our servers and I wanted to get some feedback on their recent notice when running a test:
 
"This server does not support Authenticated encryption (AEAD) cipher suites. Grade will be capped to B from March 2018"
 
I've been using Bruce Barnes' Cipher Suite list on my servers which has worked well in the past with an "A" Rating.
 
Any thoughts from the community?

3 Replies

Reply to Thread
0
Scarab Replied
There are only two cipher suites that support AEAD, the AES-GCM and ChaCha20-Poly1305 algorithms (the later of which is not available for Windows Server). They only work on TLS 1.2 and are mandatory for TLS 1.3 (which is not yet available for Windows Server and from the sounds of it won't be coming any time soon, even for W2K16R2).
 
To avoid this message you would want to disable PCT, SSL 2-3 & TLS 1.0, 1.1 and prioritize all of the AES-GCM algorithms at the top of your TLS handshake list. (You can easily do this with Nartac's IIS Crypto)
 
However, note that many older mail clients and mail servers may not be able to negotiate a TLS 1.2 connection. Unless you have a specific mandate requiring you to disable TLS 1.1 (such as HIPPA compliance...note that even PCI-DSS compliance allows TLS 1.1 after June, 2018, just not TLS 1.0) then I wouldn't recommend disabling TLS 1.1 on your server hosting SmarterMail just for a higher grade on a synthetic benchmark that favors bleeding edge flavors of Linux (even the latest build of Debian would be capped at B+ for the same reasons as Microsoft Windows). A look in your Windows System Event Log for your server running SmarterMail will probably already show a large number of Schannel errors of those clients and servers that are already unable to negotiate a connection because of outdated protocols, algorithms, or cipher suites that your server no longer supports.
0
David Jamell Replied
Awesome and complete response! Thank you very much Scarab!
0
Scarab Replied
Just tested it on a 2K12R2 Server with TLS1.1 still enabled and as long as the TLS_ECDHE_ECDSA_WITH_AES_XXX_GCM_SHAXXX_PXXX ciphers are at the very top of the Cipher Suite list you can (and will) still get an "A" rating if the rest of your Schannel Protocols, Ciphers, Hashes, and Key Exchanges are good.

Reply to Thread