Deprecating DHE Cipher Suites on Qualys US Platforms for FIPS Compliance
Last updated on: September 9, 2021
Update September 8, 2021: On US Platform 1 only, Qualys will move the qagpublic (Cloud Agent) traffic to new load balancers after September, 2021.
As mentioned in an earlier update, some US Platform 1 customers needed additional time to implement the infrastructure that supports the ECDHE Cipher Suite used by the new load balancers and to deprecate the less secure DHE Cipher Suite, and therefore we moved our qagpublic (Cloud Agent) traffic temporarily to our old load balancers. This 6-week announcement is meant to give US Platform 1 customer sufficient time to complete any required changes on their side to support this security improvement.
Update May 19, 2021: Qualys Cloud Agent on MacOS on US Platforms 2 and 3 is experiencing intermittent dropped connections because of an issue with FIPS cipher negotiations on the new load balancers. This issue does not affect Cloud Agent on Windows. As a workaround to reduce the impact, we are temporarily routing qagpublic (Cloud Agent) traffic to the old load balancers on US Platforms 2 and 3. Qualys Operations is working closely with Citrix on this issue, and as soon as they provide a fix, we will reverse this change and move the qagpublic (Cloud Agent) traffic back to the new load balancers.
Update May 12, 2021: Regarding this Deprecating DHE Cipher Suites on Qualys US Platforms for FIPS Compliance notification, we observed that some of our US1 Platform customers need additional time to adhere to the requirements of the newer ciphers. We have therefore decided to revert this change for our “qagpublic” (agent) traffic and are temporarily moving our qagpublic (agent) traffic to our old load balancers until we get confirmation from the affected customers that their infrastructure can support the new stronger ciphers. This change will not impact customers already using the stronger ciphers.
Original Post April 29, 2021: To achieve FIPS compliance as part of FedRAMP requirements, Qualys US shared platforms (US1, US2 and US3) will accept only ECDHE cipher suites for client connections and will no longer accept DHE cipher suites. Qualys customers are advised to ensure that cipher settings on your systems are tuned for ECDHE to avoid connection issues.
Qualys is deploying new Citrix load balancers, which are equipped with internal HSM cards as required for FIPS compliance. FIPS devices must additionally adhere to strict NIST security controls, and only approved protocols and algorithms are allowed for the configuration of FIPS-enabled devices.
The ECDHE ciphers supported by the new load balancers are:
- TLS1.2-ECDHE-RSA-AES-256-SHA384
- TLS1.2-ECDHE-RSA-AES-128-SHA256
- TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
- TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
This change will affect all connections to the Qualys Cloud Platform, including UIs, APIs, Scanner Appliances, and Cloud Agents.
The new load balancers with FIPS-compliant configurations will be deployed during standard platform downtime windows:
- US Platform 2: April 22, 2021
- US Platform 1: April 29, 2021
- US Platform 3: May 6, 2021
As previously announced, Qualys platforms no longer support TLS 1.0 and 1.1. To see the supported TLS versions and ciphers for your platform, please refer to SSL Labs, e.g. SSL Labs report for US1 platform.
It would be great if you could identify the QID that checks for supported ciphers – which would make is super easy for us to ensure all of our hosts will be compliant for the switch over.