When testing the encryption ciphers served by Platform.sh with my security scanner, some of them appear to be older/deprecated (like TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA and TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256). Can these be disabled ?
Those deprecated cipher suites are still required for TLS 1.2 compatibility and cannot be disabled yet.
Once TLS 1.3 is ready to roll out, the possibility to remove them will be implemented similar to what is described here.
Our blog post: Tightening TLS also provides more information on future security related changes.