I would like to understand why Qualys is identifying this SSL ciphersuite as weak: TLS_RSA_WITH_AES_256_GCM_SHA384. I am aware of the Bleichenbacher Weak Oracle attack. There are implementations of the ciphersuite that are weak/deficient and many others that are not. The deficient implementations need to be identified and patched. This is not the same as having an algorithmic design weakness. It is a software bug.