[quote=“TCM, post:2, topic:8648”]
NIST apparently mandates TLS_RSA_WITH_AES_128_CBC_SHA support
[/quote]This is also mentioned in RFCs. Modern standards mandate TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and its ECDSA equivalent.
[quote=“TCM, post:2, topic:8648”]
which will automatically prevent you from getting 100% in the cipher strength category on ssllabs
[/quote]Cipher strength rating must not be 100% anyway. It prevents Firefox and Googlebot from negotiating modern crypto mandated by standards. Chrome and Android >= 5.0 also in case of no CHACHA20_POLY1305.
There are 2 real problems:
- High-Tech Bridge checker doesn’t give A+ to sites without TLS 1.1 support. If you support TLS 1.2 only, A is a max.
- It considers 2 months too short for HPKP, recommends 6 months instead, despite 2 months being recommended by standards and set as a possible maximum by browser vendors.