Shall I know why TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 being treated as weak? When did it become weak? Thanks.
Due to the difficulties in implementing CBC cipher suites, and the numerous known exploits against bugs in specific implementations, Qualys SSL Labs began marking all CBC cipher suites as WEAK in May 2019. While there are CBC implementations without known exploits, which are safe to use, there are better options that Qualys would like to encourage admins to adopt.
See the blog post for more details.
Recently new vulnerabilities like Zombie POODLE, GOLDENDOODLE, 0-Length OpenSSL and Sleeping POODLE were published for websites that use CBC (Cipher Block Chaining) block cipher modes. These vulnerabilities are applicable only if the server uses TLS 1.2 or TLS 1.1 or TLS 1.0 with CBC cipher modes.
– Zombie POODLE and GOLDENDOODLE Vulnerabilities on Qualys Blog
Retrieving data ...