Deprecating DHE Cipher Suites on Qualys US Platforms for FIPS Compliance

Himanshu Kathpal

To achieve FIPS compliance as part of FedRAMP requirements, Qualys US shared platforms (US1, US2 and US3) will accept only ECDHE cipher suites for client connections and will no longer accept DHE cipher suites. Qualys customers are advised to ensure that cipher settings on your systems are tuned for ECDHE to avoid connection issues.

Qualys is deploying new Citrix load balancers, which are equipped with internal HSM cards as required for FIPS compliance. FIPS devices must additionally adhere to strict NIST security controls, and only approved protocols and algorithms are allowed for the configuration of FIPS-enabled devices.

The ECDHE ciphers supported by the new load balancers are:

  • TLS1.2-ECDHE-RSA-AES-256-SHA384
  • TLS1.2-ECDHE-RSA-AES-128-SHA256
  • TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
  • TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

This change will affect all connections to the Qualys Cloud Platform, including UIs, APIs, Scanner Appliances, and Cloud Agents.

The new load balancers with FIPS-compliant configurations will be deployed during standard platform downtime windows:

  • US Platform 2: April 22, 2021
  • US Platform 1: April 29, 2021
  • US Platform 3: May 6, 2021

As previously announced, Qualys platforms no longer support TLS 1.0 and 1.1. To see the supported TLS versions and ciphers for your platform, please refer to SSL Labs, e.g. SSL Labs report for US1 platform.

Show Comments (1)

Comments

Your email address will not be published. Required fields are marked *

  1. It would be great if you could identify the QID that checks for supported ciphers – which would make is super easy for us to ensure all of our hosts will be compliant for the switch over.