Chrome: Your connection is encrypted with obsolete cryptography with 10.2.4HF11 LTM
If you double click on the "lock" icon, Chrome says:
Your connection to (mysite.com) is encrypted with obsolete cryptography.The connection uses TLS 1.2.The connection is encrypted using AES_128_CBC with SHA1 for message authentication and RSA as the key exchange mechanism.
What part of this is considered obsolete? Is this an issue with the cert or the ciphers?
Please note that this site passes SHA2 checks such as "SSLlabs.com" and https://shaaaaaaaaaaaaa.com/. However, the CSR was generated with Signature Algorithm: sha1WithRSAEncryption. The certificate issued from CA with Signature Algorithm: sha256WithRSAEncryption. I don't think starting from scratch with a SHA2 CSR key matters because the cert was issued with sha256.
Also, if I terminate the connection on a Windows 2012 server, rather than on LTM, the obsolete message goes away and it shows a different cipher and key exchange mechanism which makes me think it is only cipher issue. I'm using the following NATIVE ciphers that pass SSLLAbs tests (score A-) as follows:
!SSLv3:!SSLv2:ALL:!DES-CBC-SHA:!DH:!ADH:!EDH:!EXPORT:!RC4-SHA:!RC4-MD5:@SPEED
I don't think enabling non-NATIVE ciphers is a good idea due to limited available CPU cycles. Is this something I should just leave alone until we upgrade to 11?