search

internetstandards / Internet.nl

Internet standards compliance test suite
https://internet.nl
165 stars 36 forks source link

Phase out ciphers not always detected #1325

Open baknu opened 4 months ago

baknu commented 4 months ago

Exchange Online currently seems to support several 'phase out' ciphers (see list below). However, at the moment Internet.nl does not seem to detect these.

'AES256-GCM-SHA384 (TLS_RSA_WITH_AES_256_GCM_SHA384)', 
'AES256-SHA256 (TLS_RSA_WITH_AES_256_CBC_SHA256)', 
'AES256-SHA (TLS_RSA_WITH_AES_256_CBC_SHA)', 
'AES128-GCM-SHA256 (TLS_RSA_WITH_AES_128_GCM_SHA256)', 
'AES128-SHA256 (TLS_RSA_WITH_AES_128_CBC_SHA256)', 
'AES128-SHA (TLS_RSA_WITH_AES_128_CBC_SHA)'

This will probably get fixed via #1218 .

mxsasha commented 4 months ago

Note that testssl confirms they are enabled, and they're not exactly obscure ciphers, so it's a surprise our current production does not detect them.