GOLDENDOODLE vulnerability found with ECDHE-RSA-AES256-SHA384 on TLSv1.2

We recently ran a scan on one of our sites and it’s coming up as a fail because of a cipher quite being used. ECDHE-RSA-AES256-SHA384 on TLSv1.2. GitHub - tls-attacker/TLS-Padding-Oracles: New TLS Padding Oracles

What i find weird is it scans with an A score using a quick scan SSL Server Test (Powered by Qualys SSL Labs) . but when the paid scanner product from Qualys scans it fails the site, because of that cipher suite. Has anyone else seen that or know if there is a way to turn off a cipher suite? I’ve created a ticket with cloudflare, I might make one with Qualys since this seems new as we scan quarterly, we have a paid business account.

This message was part of a long thread on the subject:

We don’t want anyone connecting to our site with TLS 1.0 or 1.1 anyway. So that would be a positive for us and we have min support set to 1.2 already. So I guess I need to go to Qualys support and see why they failed our site for this when it should have only been marked as an orange weak according to their own blog posts?

Edit: so basically the solution was to just tell the vendor about this thread. and that it isn’t vulnerable. They took tat as acceptable.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.