Thank you for the custom ciphers.  This tweak boosted my SSL Labs score to an A!!!

@Karsten Iwen Thanks for this - I just came across your answer.

FYI I was able to accomplish pretty much the same thing on an FMC-managed FTD device via Devices > Platform Settings > SSL as follows:

FTD TLS Platform Settings

Applying the above settings on an FTD device (mine was running FTD 6.4.0.5) will result in an "A-" Qualys scan score. Cisco's decision not to support secure renegotiation limits us to that:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCud62637

https://community.cisco.com/t5/firewalls/cisco-asa-5512-9-8-2-support-for-secure-renegotiation/td-p/3754076

FYI all - it appears that Cisco has slipped in "secure renegotation" support recently.

I cannot find it in the release notes (or interim release notes); but I just built a new ASAv in AWS using 9.16(1)28 and was pleasantly surprised to see it earn an "A+" from Qualys. I didn't do anything special beyond the recommendations documented by @Karsten Iwen .

This is really good news! Took some time …

@Karsten Iwen indeed it did!

By the way I just tuned an FTD 7.0 deployment similarly. The settings noted above also result in an A+ for FTD.

Also, as of 7.0 we can make those settings in both FMC- and FDM-managed environments. Previously FDM did not expose those settings.

Karsten,

I have success in using the above ciphers in my ASA-5545's however I am unable to use them in my FP2120's running ASA image, ver 9.16(3)23. I am able to create the custom cipher list for tlsv1.2 only, the rest throw out an error: 

ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher default high
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256 "
ssl ecdh-group group20
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 management
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 management vpnlb-ip
PROD-VPN-ASA1-FP2K# config t
PROD-VPN-ASA1-FP2K(config)# ssl cipher tlsv1.1 custom "AES256-SHA:AES128-SHA:D$
ERROR: Unable to create cipher list
ERROR: Unable to update ciphers.

Suggestions? TAC is scratching their heads on this one as well.

With "server-version tlsv1.2" you don't need the ciphers for 1.0 and 1.1 as these versions are disabled anyhow.

Even with "ssl cipher tlsv1.2 high" there are some legacy ciphers enabled. I would manually enable only the best FS-ciphers.

Yes, key exchange will be scored 90% unless you have a key >= 4096 bits.

https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide

Most keys in use today are 2048 bits. Even www.nsa.gov gets 90% due to a 2048 bit key.

We used to get 100% on Key Exchange, but now we get 90%. We didn't change anything pertaining to our certificate or key.

As you previously mentioned, it looks like Cisco did finally add working Secure Negotitation support because our grade is no longer capped to an A-.

We are only using one cipher (see below).

However, the report lists these.

I assume the score is getting capped at 90% because it's choosing another cipher first. However, I don't understand where it's getting the other ones from. Our goal is to only use (force) secp384r1.