AnsweredAssumed Answered

Why am I penalised for not supporting AEAD if no clients appear to use it?

Question asked by Jamie MacIsaac on Mar 14, 2018
Latest reply on Mar 15, 2018 by Jamie MacIsaac



(apologies if this has been already asked and I've failed to understand the answer)


If I deploy a Server 2012 R2 IIS website with TLS 1.1 and TLS 1.2 (only) enabled, I get an A. All of the Handshake Simulations use either TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256. There's a bunch of other ciphers (all in orange and labelled as 'WEAK') which don't appear to be used, but if I disable them and run the test again I end up with a B because I have no AEAD ciphers enabled.


Why am I being penalised for not providing AEAD ciphers if nobody appears to use them?