On 21/07/2020 09:42, cryptearth wrote: > Hello Rüdiger, > > I got the same reply on the opensuse forums. > Yes, it does "fix" my "issue", but as the reply on the forums noted: > AES128 is mandatory for a 1.3 compliant implementation, AES128 is mandatory-to-implement for an RFC compliant implementation of TLSv1.3. AFAIK it is *not* mandatory for a client to offer it, nor is it mandatory for a server to accept it. Its just that the implementation has to be *able* to do it. There should be no problems with you configuring things to not offer or accept AES128. Matt > as for why: I > guess we all can come up with some three letter shorts without > mentioning them by name. > As for the ssllabs.com test: As I dug deeper in this "1.3 requires 128" > I found an issue on github talking about it. At first there was a > penalty in place for not supporting the mandatory AES128, but this ended > up in no matter if AES128 was supported or not the test ended up with a > penalty either way, one for supporting AES128 - the other for not > following the RFC. The latter one was removed so although technical any > server not supporting AES128 doesn't fully follow the standard the folks > over at ssllabs.com seem to see the increased security is more important > than to follow the [insert some north-american three letter short here] > "recommandation". > > Anyway - as the test now shows the desired result I mark this topic as > solved for now. > > Matt > > Am 21.07.2020 um 08:40 schrieb Rüdiger Plüm: >> >> On 7/21/20 4:20 AM, cryptearth wrote: >>> first of: as I'm not sure what's causing this issue I'll post this >>> question on these locations: >>> opensuse official forums >>> https://forums.opensuse.org/showthread.php/541909-TLSv1-3-AES-and-Apache2 >>> >>> apache httpd mailing list >>> openssl mailing list >>> >>> As OpenSuSE 15.2 recently released with openssl 1.1.1 in its repos >>> it's now possible to use TLSv1.3 with Apache2 out of the box. >>> As I use the TLS test on ssllabs.com as a reference I encountered >>> some issues I'd like to ask for help to fix. >>> First of, as most important, the used versions: >>> >>> apache2: 2.4.43-lp152.1.1 >>> openssl: 1.1.1d-lp152.1.1 >>> >>> And here's the config (only used ssl-global.conf for this test): >>> >>> SSLProtocol -all +TLSv1.2 +TLSv1.3 >>> SSLCipherSuite >>> TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-CHACHA20-POLY1305HE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384HE-RSA-AES256-GCM-SHA384 >>> >> Try replacing the one SSLCiphersuite directive above with the below >> two ones: >> >> SSLCipherSuite >> ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384 >> >> SSLCipherSuite TLSv1.3 >> TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384 >> >> See http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite >> >> Regards >> >> Rüdiger >> >
