I have a PHP application with apache hosted on Heroku. The APP is using a custom domain and ACM. When I submitted my site for ISO certification they mentioned that your site doesn't support "forward secrecy" on ssllabs and asked to fix it. As Heroku doesn't allow the app developers to change server config (apache in my case) so I can't make changes recommended by developers to enable "forward secrecy".Does anyone else has implemented forward secrecy? Have you faced something similar with Heroku?
As explained in the Heroku Dev Center article HTTP Routing, Heroku apps in Common Runtime support the following cipher suites. The list is optimized to provide a reasonable level of security while supporting a wide range of client software and is not something that can be configured.
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256
Among the cipher suits, the last two don't provide forward secrecy and are ranked as "B" by SSL Labs. These are for older versions of a browser that is still supported by the browser vendor.
I tried with proxy service (via Heroku add-ons) Fastly, Edge, or Expedited CDN (beta) which provide a different set of cipher suites, and Edge worked fine, the setup is quite simple and straightforward.
Heroku support confirmed that If anyone using Cloudflare then the addon is not required but I haven't tested Cloudflare as I am not using it.