my original Apache 2.4.10 configuration didn't allow any AES128 settings. Because of that, Google Chrome informed me that my connection uses an obsolete cipher suite becuase AES_128_GCM (which is considered to be modern) was not available.
Now, I am using the following configuration:
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLSessionTickets Off Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" Header always set X-Frame-Options DENY Header always set X-Content-Type-Options nosniff SSLCompression off SSLUseStapling on SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
I am using only AES128 in connection with GCM. I've read that AES_128_GCM is more secure than any other cipher suite using AES256 (besides GCM itself).
The thing is: because I am still allowing 128bit lengths, I only get 90 of 100 points. I think the test should be modified to take the other cipher suite parameters into account if 128bit is really not ideal. As of now, there is no browser which supports AES_256_GCM.
Is there a solution to get 100 / 100 and still have a modern cipher suite wrt Google?