Recently I had my server upgraded to get a better Qualys score (getting a "B", mainly because I've chosen to still support RC4, for now, but that's not the issue). The Qualys scan indicates: "The server does not support Forward Secrecy with the reference browsers". In checking this out, I see that under the "handshake simulation" section, the only "reference" browser (browsers marked with an "R") that shows up as "No FS" is IE 8-10/Win7,which shows on the scan's simulation list as follows:
IE 8-10 / Win 7 R TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) No FS
So, I assume this one IE simulation is the only reason I'm getting the "does not support FS on reference browsers" message. My problem is that I don't understand why the IE8-10 simulation is coming up as "no FS", and showing a non-FS key exchange (TLS_RSA), given the following observations (the info below suggests to me that my server does offer the needed ECDHE option for IE8-10/Win7 for FS):
When I check the Qualys "user agent capabilities" page for IE8-10/Win 7, I see that the first preferred forward secrecy cipher is this:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Forward Secrecy
And then, when I check the Cipher Suites list (no order preference) from this same scan, I see that this same cipher ( TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) FS ) is on the list of what my server is apparently offering, which seems to match the IE8-10 FS cipher shown above from the "capabilities" page.
My server is running apache 2.4, with the following settings:
SSLCipherSuite: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH (chosen since this is the default for "PCI compliance", as I understand it -- but I'm open to changing this)
SSLProtocol: All -SSLv2 -SSLv3
Protocols, as shown on the scan:
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No
So, I'm trying to understand what I need to change to make IE8-10/Win 7 FS work in the simulation so that I can be rated as having FS support for all the current Qualys "reference browsers".
Any insights appreciated. Thanks.