search

ssllabs / ssllabs-scan

A command-line reference-implementation client for SSL Labs APIs, designed for automated and/or bulk testing.
https://www.ssllabs.com/projects/ssllabs-apis/
Apache License 2.0
1.7k stars 242 forks source link

SSLabs doesn't recognize ffdhe #524

Open Razerwire opened 7 years ago

Razerwire commented 7 years ago

At https://www.bonnieradvocaten.nl we use a pre-defined DH group (ffdhe4096) as is recommended by the IETF in [RFC 7919 https://tools.ietf.org/html/rfc7919].

ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144 and ffdhe8192 are part of the "Supported Groups Registry" (formely known as the "EC Named Curve Registry"), just like - for instance - secp521r1.

SSL Labs, currently does not recognize the use of pre-defined DH-groups from the Supported Groups Registry. Case in point being the SSL Labs scan for https://www.bonnieradvocaten.nl: Scan results The results do not show the usage of ffdhe4096.

The SSL Labs server test should be updated to not only include the older Supported Named Groups in the results but should recognize the usage and show all the Groups from the "Supported Groups Registry" when used.

bhushan5640 commented 7 years ago

SSL Labs do support detection of ffdhe groups https://github.com/ssllabs/ssllabs-scan/issues/446 eg. https://dev.ssllabs.com/ssltest/analyze.html?d=tls13.crypto.mozilla.org We will investigate why it is not detected for your domain.

Razerwire commented 7 years ago

@bhushan5640 Thanks. By the way (don't know if this is useful info), the development version (2.9-dev) of testssl.sh does correctly detect the use of ffdhe4096 on our site.