How can we enable SSL/TLS Forward Secrecy

Help! (Home for newbies)
1
SYSTEM INFORMATION
OS type and version CentOS7.9
Virtualmin version 7.20.1 Pro

Hi, we recently run a security scan against our LAMP servers, we were told by the report that the SSL/TLS forward secrecy is not enabled so our LAMP server were getting a rank B in the final report.

We would like to know how can we enable the SSL/TLS forward secrecy on all of our virtual servers running under virtualmin, given the fact that we have about 400 ~ 600 sites running totally across 3 virtualmin servers

Thank you so much for the help

Eric

2

Perhaps, to start, get rid of an EOL operating system and use something more up to date

1 Like
3

If Virtualmin DOES add this feature, I hope they keep in mind that some of us use “Location Blocks”… SSL/TLS Strong Encryption: How-To - Apache HTTP Server Version 2.4

4

You just need to favor modern ciphers and disable out of date ones, AFAIK. Getting upgraded to Rocky or Alma 9 would be the first step, because the most dangerous/insecure thing about your system right now is that CentOS 7 has been unmaintained for almost a year.

5

we are planning to upgrade the current CentOS7 server to Almalinux 8, but according to your comments, i have few questions:

  1. Do we have to upgrade to Almalinux 9 to have this feature enabled in the version of virtualmin which just designed for Almalinux 9? cuz our current plan is to upgrade to Almalinux 8 not 9.

  2. Before we upgrade to Almalinux 8 or 9, can we do something on the current platform with the current virtualmin version to enable SSL/TLS forward secrecy? or this feature is ONLY available on the Almalinux 9 version of virtualmin? We do need this before we move everything to Almalinux platform

Thank you so much for the help

6

Why? That’s also quite old, though it does have quite a bit of supported life left, I always recommend you do fresh installs on the current version of a supported OS, unless you have a really good reason to choose something older.

Probably. Though you probably have other (probably riskier) security issues with your system.

You could try enable/disabling ciphers as documented here: ssl - How do I enable perfect forward secrecy by default on Apache? - Stack Overflow

We have docs for PCI, as well, though it’s been a while since it was updated, but it does include the protocol and cipher changes you need to make. That may be simpler to follow: PCI Compliance | Virtualmin — Open Source Web Hosting Control Panel

7

we have deployed the solution which was provided by virtualmin support, but still failed the test from ssllab:
here is the reference from virtualmin documentation https://www.virtualmin.com/docs/security/pci-compliance/#apache-hardening
and here is the result of the testing:

Handshake Simulation
[Android 4.4.2](https://www.ssllabs.com/ssltest/viewClient.html?name=Android&version=4.4.2&key=62) [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp521r1 FS
[Android 5.0.0](https://www.ssllabs.com/ssltest/viewClient.html?name=Android&version=5.0.0&key=88) [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH secp521r1 FS
[Android 6.0](https://www.ssllabs.com/ssltest/viewClient.html?name=Android&version=6.0&key=129) [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
[Android 7.0](https://www.ssllabs.com/ssltest/viewClient.html?name=Android&version=7.0&key=167) [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
[Android 8.0](https://www.ssllabs.com/ssltest/viewClient.html?name=Android&version=8.0&key=168) [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
[Android 8.1](https://www.ssllabs.com/ssltest/viewClient.html?name=Android&version=8.1&key=157) [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
[Android 9.0](https://www.ssllabs.com/ssltest/viewClient.html?name=Android&version=9.0&key=158) [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
[BingPreview Jan 2015](https://www.ssllabs.com/ssltest/viewClient.html?name=BingPreview&version=Jan%202015&key=91) [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp521r1 FS
[Chrome 49 / XP SP3](https://www.ssllabs.com/ssltest/viewClient.html?name=Chrome&version=49&platform=XP%20SP3&key=136) [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
[Chrome 69 / Win 7](https://www.ssllabs.com/ssltest/viewClient.html?name=Chrome&version=69&platform=Win%207&key=152) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
[Chrome 70 / Win 10](https://www.ssllabs.com/ssltest/viewClient.html?name=Chrome&version=70&platform=Win%2010&key=153) [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
[Chrome 80 / Win 10](https://www.ssllabs.com/ssltest/viewClient.html?name=Chrome&version=80&platform=Win%2010&key=170) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
[Firefox 31.3.0 ESR / Win 7](https://www.ssllabs.com/ssltest/viewClient.html?name=Firefox&version=31.3.0%20ESR&platform=Win%207&key=84) [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
[Firefox 47 / Win 7](https://www.ssllabs.com/ssltest/viewClient.html?name=Firefox&version=47&platform=Win%207&key=132) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
[Firefox 49 / XP SP3](https://www.ssllabs.com/ssltest/viewClient.html?name=Firefox&version=49&platform=XP%20SP3&key=137) [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
[Firefox 62 / Win 7](https://www.ssllabs.com/ssltest/viewClient.html?name=Firefox&version=62&platform=Win%207&key=151) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
[Firefox 73 / Win 10](https://www.ssllabs.com/ssltest/viewClient.html?name=Firefox&version=73&platform=Win%2010&key=171) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
[Googlebot Feb 2018](https://www.ssllabs.com/ssltest/viewClient.html?name=Googlebot&version=Feb%202018&key=145) [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
[IE 11 / Win 7](https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=11&platform=Win%207&key=143) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
[IE 11 / Win 8.1](https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=11&platform=Win%208.1&key=134) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
[IE 11 / Win Phone 8.1](https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=11&platform=Win%20Phone%208.1&key=65) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_RSA_WITH_AES_128_CBC_SHA256 No FS
[IE 11 / Win Phone 8.1 Update](https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=11&platform=Win%20Phone%208.1%20Update&key=106) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
[IE 11 / Win 10](https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=11&platform=Win%2010&key=131) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 FS
[Edge 15 / Win 10](https://www.ssllabs.com/ssltest/viewClient.html?name=Edge&version=15&platform=Win%2010&key=144) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 FS
[Edge 16 / Win 10](https://www.ssllabs.com/ssltest/viewClient.html?name=Edge&version=16&platform=Win%2010&key=159) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 FS
[Edge 18 / Win 10](https://www.ssllabs.com/ssltest/viewClient.html?name=Edge&version=18&platform=Win%2010&key=160) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 FS
[Edge 13 / Win Phone 10](https://www.ssllabs.com/ssltest/viewClient.html?name=Edge&version=13&platform=Win%20Phone%2010&key=120) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 FS
[Java 8u161](https://www.ssllabs.com/ssltest/viewClient.html?name=Java&version=8u161&key=147) [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
[Java 11.0.3](https://www.ssllabs.com/ssltest/viewClient.html?name=Java&version=11.0.3&key=162) [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 FS
[Java 12.0.1](https://www.ssllabs.com/ssltest/viewClient.html?name=Java&version=12.0.1&key=163) [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 FS
[OpenSSL 1.0.1l](https://www.ssllabs.com/ssltest/viewClient.html?name=OpenSSL&version=1.0.1l&key=99) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp521r1 FS
[OpenSSL 1.0.2s](https://www.ssllabs.com/ssltest/viewClient.html?name=OpenSSL&version=1.0.2s&key=164) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 FS
[OpenSSL 1.1.0k](https://www.ssllabs.com/ssltest/viewClient.html?name=OpenSSL&version=1.1.0k&key=169) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 FS
[OpenSSL 1.1.1c](https://www.ssllabs.com/ssltest/viewClient.html?name=OpenSSL&version=1.1.1c&key=165) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 FS
[Safari 6 / iOS 6.0.1](https://www.ssllabs.com/ssltest/viewClient.html?name=Safari&version=6&platform=iOS%206.0.1&key=33) [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
[Safari 7 / iOS 7.1](https://www.ssllabs.com/ssltest/viewClient.html?name=Safari&version=7&platform=iOS%207.1&key=63) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
[Safari 7 / OS X 10.9](https://www.ssllabs.com/ssltest/viewClient.html?name=Safari&version=7&platform=OS%20X%2010.9&key=35) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
[Safari 8 / iOS 8.4](https://www.ssllabs.com/ssltest/viewClient.html?name=Safari&version=8&platform=iOS%208.4&key=85) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
[Safari 8 / OS X 10.10](https://www.ssllabs.com/ssltest/viewClient.html?name=Safari&version=8&platform=OS%20X%2010.10&key=87) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH secp256r1 FS
[Safari 9 / iOS 9](https://www.ssllabs.com/ssltest/viewClient.html?name=Safari&version=9&platform=iOS%209&key=114) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 FS
[Safari 9 / OS X 10.11](https://www.ssllabs.com/ssltest/viewClient.html?name=Safari&version=9&platform=OS%20X%2010.11&key=111) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 FS
[Safari 10 / iOS 10](https://www.ssllabs.com/ssltest/viewClient.html?name=Safari&version=10&platform=iOS%2010&key=140) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 FS
[Safari 10 / OS X 10.12](https://www.ssllabs.com/ssltest/viewClient.html?name=Safari&version=10&platform=OS%20X%2010.12&key=138) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 FS
[Safari 12.1.2 / MacOS 10.14.6 Beta](https://www.ssllabs.com/ssltest/viewClient.html?name=Safari&version=12.1.2&platform=MacOS%2010.14.6%20Beta&key=161) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 FS
[Safari 12.1.1 / iOS 12.3.1](https://www.ssllabs.com/ssltest/viewClient.html?name=Safari&version=12.1.1&platform=iOS%2012.3.1&key=166) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 FS
[Apple ATS 9 / iOS 9](https://www.ssllabs.com/ssltest/viewClient.html?name=Apple%20ATS&version=9&platform=iOS%209&key=112) R [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 FS
[Yahoo Slurp Jan 2015](https://www.ssllabs.com/ssltest/viewClient.html?name=Yahoo%20Slurp&version=Jan%202015&key=92) [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp384r1 FS
[YandexBot Jan 2015](https://www.ssllabs.com/ssltest/viewClient.html?name=YandexBot&version=Jan%202015&key=93) [RSA 2048 (SHA256)](https://www.ssllabs.com/ssltest/analyze.html?d=biophotonics.utoronto.ca#79fdf66ba9d4942668cf12226bfff966c187066a11af66d109cd390bff086c67) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp521r1 FS

Any idea how to get rid of this stupid windows phone cipher non-FS issue?

8

I don’t know what you mean by “stupid windows phone cipher”. But, when I click on the link to your report, I see RC4 is the primary cause of your grade being capped at B, I think you can just disable that cipher, too.

9 
[IE 11 / Win Phone 8.1].............TLS 1.2 TLS_RSA_WITH_AES_128_CBC_SHA256 No FS

The above line was the cause of the grade B since it shows No FS at the end clearly, i m not sure if this is a RC4 cipher in this case? cuz we did disable the RC4 in the cipher list for sure and the report doesn’t show anything related to RC4