Re: TLSv1.3, AES and Apache2 on opensuse leap 15.2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Rüdiger,

I got the same reply on the opensuse forums.
Yes, it does "fix" my "issue", but as the reply on the forums noted: AES128 is mandatory for a 1.3 compliant implementation, as for why: I guess we all can come up with some three letter shorts without mentioning them by name. As for the ssllabs.com test: As I dug deeper in this "1.3 requires 128" I found an issue on github talking about it. At first there was a penalty in place for not supporting the mandatory AES128, but this ended up in no matter if AES128 was supported or not the test ended up with a penalty either way, one for supporting AES128 - the other for not following the RFC. The latter one was removed so although technical any server not supporting AES128 doesn't fully follow the standard the folks over at ssllabs.com seem to see the increased security is more important than to follow the [insert some north-american three letter short here] "recommandation".
Anyway - as the test now shows the desired result I mark this topic as solved for now. 

Matt

Am 21.07.2020 um 08:40 schrieb Rüdiger Plüm:


On 7/21/20 4:20 AM, cryptearth wrote:

first of: as I'm not sure what's causing this issue I'll post this question on these locations:
opensuse official forums https://forums.opensuse.org/showthread.php/541909-TLSv1-3-AES-and-Apache2
apache httpd mailing list
openssl mailing list

As OpenSuSE 15.2 recently released with openssl 1.1.1 in its repos it's now possible to use TLSv1.3 with Apache2 out of the box.
As I use the TLS test on ssllabs.com as a reference I encountered some issues I'd like to ask for help to fix.
First of, as most important, the used versions:

apache2: 2.4.43-lp152.1.1
openssl: 1.1.1d-lp152.1.1

And here's the config (only used ssl-global.conf for this test):

SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite
TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-CHACHA20-POLY1305HE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384HE-RSA-AES256-GCM-SHA384

Try replacing the one SSLCiphersuite directive above with the below two ones:

SSLCipherSuite ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384

See http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite

Regards

Rüdiger
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux