TLSv1.3, AES and Apache2 on opensuse leap 15.2
cryptearth
cryptearth at cryptearth.de
Tue Jul 21 02:20:27 UTC 2020
first of: as I'm not sure what's causing this issue I'll post this
question on these locations:
opensuse official forums
https://forums.opensuse.org/showthread.php/541909-TLSv1-3-AES-and-Apache2
apache httpd mailing list
openssl mailing list
As OpenSuSE 15.2 recently released with openssl 1.1.1 in its repos it's
now possible to use TLSv1.3 with Apache2 out of the box. As I use the
TLS test on ssllabs.com as a reference I encountered some issues I'd
like to ask for help to fix.
First of, as most important, the used versions:
apache2: 2.4.43-lp152.1.1
openssl: 1.1.1d-lp152.1.1
And here's the config (only used ssl-global.conf for this test):
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite
TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-CHACHA20-POLY1305HE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384HE-RSA-AES256-GCM-SHA384
SSLOpenSSLConfCmd Curves secp521r1:secp384r1
There were no other changes made to any other conf.
As one can see I only enabled AES with 256 bit keylength and ordered
chacha20 preferred over AES. But when testing with ssllabs.com server
test it shows two issues I'm unable to solve myself:
1) although not enabled the server test also shows AES with only 128 bit
keylength enabled and working - hence capping the score to only 90% for
cipher strength (only ciphers with an equivalent of at least RSA 4096
give one full 100%)
2) the order doesn'T match the config - it shows AES256 as the most
preferred one, then followed by the chacha20 and finally the AES128
As I don't know if this is an issue with apache, openssl or opensuse I
posted it on all three to reach most group of people, so, if you're
member of more than one of the mentioned I apologize if you get this
topic multiple times.
Thanks in advance to anyone,
Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20200721/345de52e/attachment-0001.html>
More information about the openssl-users
mailing list