Author |
|
jraute
Joined: 13 Sep 2013 Posts: 188 Location: Rheinland, Germany
|
Posted: Fri 01 Feb '19 11:46 Post subject: SSLLABS warning for missing mandatory cipher suite |
|
|
People who want to check the security grade of their webserver/-pages often use ssllabs.com server test.
In fact ssllabs send a warning, when TLS1.3 configured sites do not have the so called "mandatory cipher suite" TLS_AES_128_GCM_SHA256.
Since this cipher uses only an AES 128 it's obvious that it is not of the same security strength/level as the other ones.
Does someone has information about a comparison between TLS_AES_128_GCM_SHA256 and the other ones regarding the strength of the cipher suites?
Last edited by jraute on Wed 13 Feb '19 17:55; edited 1 time in total |
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1266 Location: Amsterdam, NL, EU
|
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7375 Location: Germany, Next to Hamburg
|
Posted: Fri 01 Feb '19 15:52 Post subject: |
|
|
@Jan-E
because you might use the default config.
There is the need of setting it for TLSv1.3
SSLCipherSuite TLSv1.3
See my SSL config and I get the warning, too, because I avoid 128 bit.
Code: |
<If "%{SERVER_PORT} == '443'">
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15553000; preload"
</IfModule>
</If>
ProtocolsHonorOrder On
Protocols h2c h2 http/1.1
TraceEnable Off
SSLUseStapling On
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLStaplingCache shmcb:/opt/apache2/logs/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
SSLOpenSSLConfCmd DHParameters "/opt/apache2/conf/dh4096.pem"
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1:sect283k1:sect283r1:secp256k1:prime256v1
H2Direct On
|
|
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7375 Location: Germany, Next to Hamburg
|
Posted: Fri 01 Feb '19 16:12 Post subject: Re: SSLLABS warning for missing mandatory cipher suite |
|
|
jraute wrote: |
Does someone has information about a comparison between TLS_AES_128_GCM_SHA256 and the other ones regarding the strength of the cipher suites? |
Sure it is wise to use Galois/Counter Mode (GCM). Comparing the TLS_AES_128_GCM_SHA256 with TLS_AES_256_GCM_SHA384 and TLS_CHACHA20_POLY1305_SHA256
both AES ones are mostly the same, except as you have mentioned the strengh. 128 vs 256.
ChaCha20/Poly vs AES is a different thing. There are a lot of opinions about that[1]. For mobile devices the Poly is faster because it is more CPU friendly if the CPU doesn't have native / built-in AES support. Also some crypto people say that there is a chance that AES will be cracked soon'ish. What ever that means.
I made a blog post why I chose the cipthers that I use[2]
[1] https://www.google.com/search?q=poly+vs+aes
https://blog.cloudflare.com/it-takes-two-to-chacha-poly/
[2] https://mariobrandt.de/archives/apache/finding-the-right-ciphers-with-256-bit-alias-crypto-wars-part-nine-1206/ |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Sun 03 Feb '19 21:57 Post subject: |
|
|
Interesting you have chacha first for TLS/1.2 but second in TLS/1.3. Any reason other than that's the order of OpenSSL's default? |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7375 Location: Germany, Next to Hamburg
|
Posted: Mon 04 Feb '19 13:52 Post subject: |
|
|
glsmith wrote: | Interesting you have chacha first for TLS/1.2 but second in TLS/1.3. Any reason other than that's the order of OpenSSL's default? |
You got the mistake, I want Chacha in both cases to be the first |
|
Back to top |
|