Ugh!
This is annoying but I found the correct settings so you can use SSL Labs and actually get a score that isn’t capped at B because of AES 128 CBC ciphers!
It is very simple:
[crayon]
config system global
set ssl-min-proto-version TLSv1-2
set admin-https-ssl-versions tlsv1-1 tlsv1-2
# vvvv is the specific one that will disable the bad cryptographic ciphers
set ssl-static-key-ciphers disable
# ^^^^
end
[/crayon]
This turns off the ciphers that do not support DH and allows for Forward Security test phase to pass.
As soon as I did this and rerun the scan my firewalls returned A+ for their overall rating.