search

internetstandards / Internet.nl

Internet standards compliance test suite
https://internet.nl
177 stars 37 forks source link

Phase out ciphers not always detected #1325

Open baknu opened 8 months ago

baknu commented 8 months ago

Exchange Online currently seems to support several 'phase out' ciphers (see list below). However, at the moment Internet.nl does not seem to detect these.

'AES256-GCM-SHA384 (TLS_RSA_WITH_AES_256_GCM_SHA384)', 
'AES256-SHA256 (TLS_RSA_WITH_AES_256_CBC_SHA256)', 
'AES256-SHA (TLS_RSA_WITH_AES_256_CBC_SHA)', 
'AES128-GCM-SHA256 (TLS_RSA_WITH_AES_128_GCM_SHA256)', 
'AES128-SHA256 (TLS_RSA_WITH_AES_128_CBC_SHA256)', 
'AES128-SHA (TLS_RSA_WITH_AES_128_CBC_SHA)'

This will probably get fixed via #1218 .

mxsasha commented 8 months ago

Note that testssl confirms they are enabled, and they're not exactly obscure ciphers, so it's a surprise our current production does not detect them.

dennisbaaten commented 1 week ago

This issue is still open, but I noticed in this test result that the cipher AES256-GCM-SHA384 was detected as 'phase out'.