To achieve FIPS compliance as part of FedRAMP requirements, Qualys US shared platforms (US1, US2 and US3) will accept only ECDHE cipher suites for client connections and will no longer accept DHE cipher suites. Qualys customers are advised to ensure that cipher settings on your systems are tuned for ECDHE to avoid connection issues.
Qualys is deploying new Citrix load balancers, which are equipped with internal HSM cards as required for FIPS compliance. FIPS devices must additionally adhere to strict NIST security controls, and only approved protocols and algorithms are allowed for the configuration of FIPS-enabled devices.
The ECDHE ciphers supported by the new load balancers are:
The new load balancers with FIPS-compliant configurations will be deployed during standard platform downtime windows:
- US Platform 2: April 22, 2021
- US Platform 1: April 29, 2021
- US Platform 3: May 6, 2021
As previously announced, Qualys platforms no longer support TLS 1.0 and 1.1. To see the supported TLS versions and ciphers for your platform, please refer to SSL Labs, e.g. SSL Labs report for US1 platform.