IN MS14-066, Microsoft added new cipher suites that support Forward Secrecy and Authenticated Encryption with Associated Data (FS + AEAD). Unfortunately, for all but the latest (Windows 10) builds, Microsoft did not include ECDHE, instead supporting DHE. This makes supporting the "best" Microsoft suites in conflict with the SSL Labs guidance to disable Diffie Hellman with less than 2048bit parameters.
- Some customers have reported an issue that's related to the changes in this release.
In MS15-055 Microsoft implemented the "LogJam Fix" to set the minimum DH key to 1024bit.
SSL Labs reports based on being 1024 bit, regardless of whether the DH group is "unique or infrequently used".
This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.
Even though WeakDH.ORG says. Ideally the grade should only be capped to B if both conditions (<=1024 AND common DH Group) are met.