Recently, our internal auditing team dinged us on the cipher suites that are being used for our UMP. The report that they run is a Qualys SSL Labs report. The audit hit we are receiving is a grade of 'B' for cipher strength. The reason for the 'B', is:
Penalty for not using AEAD suites (B)
Your site should use secure cipher suites. AEAD is the only encryption approach without any known weaknesses. The alternative, CBC encryption, is susceptible to timing attacks (as implemented in TLS). AEAD suites provide strong authentication, key exchange, forward secrecy, and encryption of at least 128 bits. TLS 1.3 supports only AEAD suites. SSL Labs doesn’t currently reward the use of AEAD suites. In this grading criteria update we will start requiring AEAD suites for A.
Grade will be capped to B, if AEAD suites are not supported. As with forward secrecy, we will not penalize sites if they continue to use non-AEAD suites provided AEAD suites are negotiated with clients that support them.
Last night I attempted a number of AEAD compliant variations, but none would produce the wanted results. The issue's I ran into when testing connection, after restarting the wasp probe, was either:
-Could not access the ump due to a cipher mismatch
-Could access the ump but the Qualys report was worse off - Grad of 'F', instead of 'B'
So my question is, has anyone ran into a similar issue and have you successfully hardened the server? If so, any advice or pointers would be appreciated.
CA UMP ver 8.47
Support case has been opened as well