TLSv1.3, AES and Apache2 on opensuse leap 15.2

cryptearth cryptearth at cryptearth.de
Tue Jul 21 08:42:41 UTC 2020


Hello Rüdiger,

I got the same reply on the opensuse forums.
Yes, it does "fix" my "issue", but as the reply on the forums noted: 
AES128 is mandatory for a 1.3 compliant implementation, as for why: I 
guess we all can come up with some three letter shorts without 
mentioning them by name.
As for the ssllabs.com test: As I dug deeper in this "1.3 requires 128" 
I found an issue on github talking about it. At first there was a 
penalty in place for not supporting the mandatory AES128, but this ended 
up in no matter if AES128 was supported or not the test ended up with a 
penalty either way, one for supporting AES128 - the other for not 
following the RFC. The latter one was removed so although technical any 
server not supporting AES128 doesn't fully follow the standard the folks 
over at ssllabs.com seem to see the increased security is more important 
than to follow the [insert some north-american three letter short here] 
"recommandation".

Anyway - as the test now shows the desired result I mark this topic as 
solved for now.

Matt

Am 21.07.2020 um 08:40 schrieb Rüdiger Plüm:
>
> On 7/21/20 4:20 AM, cryptearth wrote:
>> first of: as I'm not sure what's causing this issue I'll post this question on these locations:
>> opensuse official forums https://forums.opensuse.org/showthread.php/541909-TLSv1-3-AES-and-Apache2
>> apache httpd mailing list
>> openssl mailing list
>>
>> As OpenSuSE 15.2 recently released with openssl 1.1.1 in its repos it's now possible to use TLSv1.3 with Apache2 out of the box.
>> As I use the TLS test on ssllabs.com as a reference I encountered some issues I'd like to ask for help to fix.
>> First of, as most important, the used versions:
>>
>> apache2: 2.4.43-lp152.1.1
>> openssl: 1.1.1d-lp152.1.1
>>
>> And here's the config (only used ssl-global.conf for this test):
>>
>> SSLProtocol -all +TLSv1.2 +TLSv1.3
>> SSLCipherSuite
>> TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-CHACHA20-POLY1305HE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384HE-RSA-AES256-GCM-SHA384
> Try replacing the one SSLCiphersuite directive above with the below two ones:
>
> SSLCipherSuite ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
> SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
>
> See http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite
>
> Regards
>
> Rüdiger
>



More information about the openssl-users mailing list