AnsweredAssumed Answered

Qualys Recommended Cipher Setup with OpenSSL issues B rating with Weak Ciphers

Question asked by Hector Santos on Jul 26, 2018
Latest reply on Jul 31, 2018 by Robert Dell'Immagine

Excuse me if I'm not a crypto expert. I am trying to get this right and I am beating my head over this for the past week. 


We have an OpenSSL-based web server (Wildcat!) and with all my cipher research,  I tried a variety of ciphers, including the ones recommended by Qualys. I am getting B ratings with reported weak ciphers,  naming the AES* needed for Chrome..  If I remove it, I get an A rating with the DH 2048 bits set at the server with forward secrecy, but Chrome no longer connects.  Can't have that.


I have a customer with Wildcat! who is also using IIS server and it uses P521, P384, , P256 curves.   He is satisfy with this IIS server getting B rating with no weakness and forward secrecy and 100% support for all browsers.


How can I match this with an OpenSSL-based web server?   Can I resolve the issue with the Qualys recommended ciphers, even if its a B rating but with no weak ciphers and Chrome support?


Thank you for any guidance  or tips you can provide.