logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



SSLLABS warning for missing mandatory cipher suite

 
Post new topic   Reply to topic    Apache Forum Index -> News & Hangout



View previous topic :: View next topic  
Author Message
jraute



Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany

PostPosted: Fri 01 Feb '19 11:46    Post subject: SSLLABS warning for missing mandatory cipher suite Reply with quote

People who want to check the security grade of their webserver/-pages often use ssllabs.com server test.

In fact ssllabs send a warning, when TLS1.3 configured sites do not have the so called "mandatory cipher suite" TLS_AES_128_GCM_SHA256.

Since this cipher uses only an AES 128 it's obvious that it is not of the same security strength/level as the other ones.

Does someone has information about a comparison between TLS_AES_128_GCM_SHA256 and the other ones regarding the strength of the cipher suites?


Last edited by jraute on Wed 13 Feb '19 17:55; edited 1 time in total
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 916
Location: Amsterdam, NL, EU

PostPosted: Fri 01 Feb '19 14:47    Post subject: Reply with quote

Strange thing: I enabled TLS v1.3, did not enable TLS_AES_128_GCM_SHA256 in my ciphersuite and even then Apache uses TLS_AES_128_GCM_SHA256 for TLS v1.3

Code:
SSLProtocol -ALL +TLSv1.3 +TLSv1.2 +TLSv1.1
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA


Results:
https://www.ssllabs.com/ssltest/analyze.html?d=tfrtst.sessionportal.net&s=109.72.82.241

And:
https://www.htbridge.com/ssl/?id=7YPAy4ha
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6519
Location: Germany, Next to Hamburg

PostPosted: Fri 01 Feb '19 15:52    Post subject: Reply with quote

@Jan-E
because you might use the default config.

There is the need of setting it for TLSv1.3

SSLCipherSuite TLSv1.3

See my SSL config and I get the warning, too, because I avoid 128 bit.

Code:

<If "%{SERVER_PORT} == '443'">
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15553000; preload"
</IfModule>
</If>

ProtocolsHonorOrder On
Protocols h2c h2 http/1.1

TraceEnable Off

SSLUseStapling On
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLStaplingCache shmcb:/opt/apache2/logs/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

SSLOpenSSLConfCmd DHParameters "/opt/apache2/conf/dh4096.pem"
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1:sect283k1:sect283r1:secp256k1:prime256v1

H2Direct On
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6519
Location: Germany, Next to Hamburg

PostPosted: Fri 01 Feb '19 16:12    Post subject: Re: SSLLABS warning for missing mandatory cipher suite Reply with quote

jraute wrote:

Does someone has information about a comparison between TLS_AES_128_GCM_SHA256 and the other ones regarding the strength of the cipher suites?


Sure it is wise to use Galois/Counter Mode (GCM). Comparing the TLS_AES_128_GCM_SHA256 with TLS_AES_256_GCM_SHA384 and TLS_CHACHA20_POLY1305_SHA256
both AES ones are mostly the same, except as you have mentioned the strengh. 128 vs 256.

ChaCha20/Poly vs AES is a different thing. There are a lot of opinions about that[1]. For mobile devices the Poly is faster because it is more CPU friendly if the CPU doesn't have native / built-in AES support. Also some crypto people say that there is a chance that AES will be cracked soon'ish. What ever that means.

I made a blog post why I chose the cipthers that I use[2]

[1] https://www.google.com/search?q=poly+vs+aes
https://blog.cloudflare.com/it-takes-two-to-chacha-poly/
[2] https://mariobrandt.de/archives/apache/finding-the-right-ciphers-with-256-bit-alias-crypto-wars-part-nine-1206/
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2181
Location: Sun Diego, USA

PostPosted: Sun 03 Feb '19 21:57    Post subject: Reply with quote

Interesting you have chacha first for TLS/1.2 but second in TLS/1.3. Any reason other than that's the order of OpenSSL's default?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6519
Location: Germany, Next to Hamburg

PostPosted: Mon 04 Feb '19 13:52    Post subject: Reply with quote

glsmith wrote:
Interesting you have chacha first for TLS/1.2 but second in TLS/1.3. Any reason other than that's the order of OpenSSL's default?


You got the mistake, I want Chacha in both cases to be the first Embarassed
Back to top


Post new topic   Reply to topic    Apache Forum Index -> News & Hangout
Page 1 of 1