TLSv1.3, AES and Apache2 on opensuse leap 15.2

Matt Caswell matt at openssl.org
Tue Jul 21 10:42:20 UTC 2020



On 21/07/2020 09:42, cryptearth wrote:
> Hello Rüdiger,
> 
> I got the same reply on the opensuse forums.
> Yes, it does "fix" my "issue", but as the reply on the forums noted:
> AES128 is mandatory for a 1.3 compliant implementation,

AES128 is mandatory-to-implement for an RFC compliant implementation of
TLSv1.3. AFAIK it is *not* mandatory for a client to offer it, nor is it
mandatory for a server to accept it. Its just that the implementation
has to be *able* to do it. There should be no problems with you
configuring things to not offer or accept AES128.

Matt



> as for why: I
> guess we all can come up with some three letter shorts without
> mentioning them by name.
> As for the ssllabs.com test: As I dug deeper in this "1.3 requires 128"
> I found an issue on github talking about it. At first there was a
> penalty in place for not supporting the mandatory AES128, but this ended
> up in no matter if AES128 was supported or not the test ended up with a
> penalty either way, one for supporting AES128 - the other for not
> following the RFC. The latter one was removed so although technical any
> server not supporting AES128 doesn't fully follow the standard the folks
> over at ssllabs.com seem to see the increased security is more important
> than to follow the [insert some north-american three letter short here]
> "recommandation".
> 
> Anyway - as the test now shows the desired result I mark this topic as
> solved for now.
> 
> Matt
> 
> Am 21.07.2020 um 08:40 schrieb Rüdiger Plüm:
>>
>> On 7/21/20 4:20 AM, cryptearth wrote:
>>> first of: as I'm not sure what's causing this issue I'll post this
>>> question on these locations:
>>> opensuse official forums
>>> https://forums.opensuse.org/showthread.php/541909-TLSv1-3-AES-and-Apache2
>>>
>>> apache httpd mailing list
>>> openssl mailing list
>>>
>>> As OpenSuSE 15.2 recently released with openssl 1.1.1 in its repos
>>> it's now possible to use TLSv1.3 with Apache2 out of the box.
>>> As I use the TLS test on ssllabs.com as a reference I encountered
>>> some issues I'd like to ask for help to fix.
>>> First of, as most important, the used versions:
>>>
>>> apache2: 2.4.43-lp152.1.1
>>> openssl: 1.1.1d-lp152.1.1
>>>
>>> And here's the config (only used ssl-global.conf for this test):
>>>
>>> SSLProtocol -all +TLSv1.2 +TLSv1.3
>>> SSLCipherSuite
>>> TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-CHACHA20-POLY1305HE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384HE-RSA-AES256-GCM-SHA384
>>>
>> Try replacing the one SSLCiphersuite directive above with the below
>> two ones:
>>
>> SSLCipherSuite
>> ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
>>
>> SSLCipherSuite TLSv1.3
>> TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
>>
>> See http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite
>>
>> Regards
>>
>> Rüdiger
>>
> 


More information about the openssl-users mailing list