I am developing enterprise wide TLS configuration standards. My previous baseline site had an A- due to no Forward Secrecy. Other than that, it had a score of 90 on all subscores, except for 'Certificate' where it had 100.
The cipher suite list from the server was:
Most simulated clients were negotiating TLS_RSA_WITH_AES_128_CBC_SHA which doesn't have FS.
So I added ECDHE RSA ciphers, among others, and now most of the simulated clients negotiate TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA which DOES have FS.
In no case was any of the simulated clients negotiating cipher that was weaker than with the original suite listed above. However, when I check my scores the 'Key Exchange' subscore has dropped from 90 to 80.
Does changing the key exchange from RSA to ECDHE actually decrease the security/strength of the key exchange process?
Any input is appreciated.