TLSv1.3, AES and Apache2 on opensuse leap 15.2

Matt Caswell matt at
Tue Jul 21 10:42:20 UTC 2020

On 21/07/2020 09:42, cryptearth wrote:
> Hello Rüdiger,
> I got the same reply on the opensuse forums.
> Yes, it does "fix" my "issue", but as the reply on the forums noted:
> AES128 is mandatory for a 1.3 compliant implementation,

AES128 is mandatory-to-implement for an RFC compliant implementation of
TLSv1.3. AFAIK it is *not* mandatory for a client to offer it, nor is it
mandatory for a server to accept it. Its just that the implementation
has to be *able* to do it. There should be no problems with you
configuring things to not offer or accept AES128.


> as for why: I
> guess we all can come up with some three letter shorts without
> mentioning them by name.
> As for the test: As I dug deeper in this "1.3 requires 128"
> I found an issue on github talking about it. At first there was a
> penalty in place for not supporting the mandatory AES128, but this ended
> up in no matter if AES128 was supported or not the test ended up with a
> penalty either way, one for supporting AES128 - the other for not
> following the RFC. The latter one was removed so although technical any
> server not supporting AES128 doesn't fully follow the standard the folks
> over at seem to see the increased security is more important
> than to follow the [insert some north-american three letter short here]
> "recommandation".
> Anyway - as the test now shows the desired result I mark this topic as
> solved for now.
> Matt
> Am 21.07.2020 um 08:40 schrieb Rüdiger Plüm:
>> On 7/21/20 4:20 AM, cryptearth wrote:
>>> first of: as I'm not sure what's causing this issue I'll post this
>>> question on these locations:
>>> opensuse official forums
>>> apache httpd mailing list
>>> openssl mailing list
>>> As OpenSuSE 15.2 recently released with openssl 1.1.1 in its repos
>>> it's now possible to use TLSv1.3 with Apache2 out of the box.
>>> As I use the TLS test on as a reference I encountered
>>> some issues I'd like to ask for help to fix.
>>> First of, as most important, the used versions:
>>> apache2: 2.4.43-lp152.1.1
>>> openssl: 1.1.1d-lp152.1.1
>>> And here's the config (only used ssl-global.conf for this test):
>>> SSLProtocol -all +TLSv1.2 +TLSv1.3
>>> SSLCipherSuite
>> Try replacing the one SSLCiphersuite directive above with the below
>> two ones:
>> SSLCipherSuite
>> SSLCipherSuite TLSv1.3
>> See
>> Regards
>> Rüdiger

More information about the openssl-users mailing list