Ugh!
This is annoying but I found the correct settings so you can use SSL Labs and actually get a score that isn’t capped at B because of AES 128 CBC ciphers!
It is very simple:
|
1 2 3 4 5 6 7 |
config system global set ssl-min-proto-version TLSv1-2 set admin-https-ssl-versions tlsv1-1 tlsv1-2 # vvvv is the specific one that will disable the bad cryptographic ciphers set ssl-static-key-ciphers disable # ^^^^ end |
This turns off the ciphers that do not support DH and allows for Forward Security test phase to pass.
As soon as I did this and rerun the scan my firewalls returned A+ for their overall rating.