Deprecating DHE Cipher Suites on Qualys Services for FIPS Compliance

To achieve FIPS compliance as part of FedRAMP requirements, the services listed below will accept only ECDHE cipher suites for client connections and will no longer accept DHE cipher suites. Qualys customers are advised to ensure that cipher settings on your systems are tuned for ECDHE to avoid connection issues. 

• https://community.qualys.com
• https://www.qualys.com & https://www.qualys.jp
• https://discussions.qualys.com
• https://pci.qualys.com
• https://gateway.qg1.apps.qualys.com
• https://gateway.qg2.apps.qualys.com

Qualys is deploying new load balancers, which are equipped with internal HSM cards as required for FIPS compliance. FIPS devices must additionally adhere to strict NIST security controls and only approved protocols and algorithms are allowed for the configuration of FIPS-enabled devices. 

The ECDHE ciphers supported by the new load balancers are:

• TLS1.2-ECDHE-RSA-AES-256-SHA384 
• TLS1.2-ECDHE-RSA-AES-128-SHA256 
• TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 
• TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 

This change will affect all connections to the Qualys Cloud Platform, including UIs and APIs.

The new load balancers with FIPS-compliant configurations will be deployed on 7 October 2021.

As previously announced, Qualys platforms no longer support TLS 1.0 and 1.1. To see the supported TLS versions and ciphers for your platform, please refer to SSL Labs, e.g. SSL Labs report for US1 platform.

Also previously announced, Qualys has deprecated DHE Cipher Suites on Qualys US Platforms for FIPS Compliance.