Perfect scan impossible with TLSv1.3

ssllabs / ssllabs-scan

A command-line reference-implementation client for SSL Labs APIs, designed for automated and/or bulk testing.

https://www.ssllabs.com/projects/ssllabs-apis/

Apache License 2.0

1.7k stars 242 forks source link

Perfect scan impossible with TLSv1.3 #684

Open josephcsible opened 5 years ago

josephcsible commented 5 years ago

If a server supports TLSv1.3, it's impossible for it to get a perfect scan result. The problem is due to the TLS_AES_128_GCM_SHA256 cipher suite. If it is enabled, your cipher strength score will be capped at 90% (see also #648). If it is not enabled, you'll get this in a red box:

This server does not support the mandatory cipher suite TLS_AES_128_GCM_SHA256 for TLS 1.3. See RFC 8446 for details.

myfirstnameispaul commented 5 years ago

Why is a reported perfect scan a requirement for the tool? Isn't this really an issue with the standards?

josephcsible commented 5 years ago

Isn't this really an issue with the standards?

Yes, but if the tool acknowledges a defect in the standards (which it does by lowering your security score if you follow them), then I don't think it should complain about deviating from them in that particular area.

Also, note that the TLS 1.1 spec requires a 3DES cipher, so there's no reason to warn about this for TLS 1.3 unless we also warn about not having that for TLS 1.1 (which we don't do, for obvious reasons).

myfirstnameispaul commented 5 years ago

While it is truly uo to the creators of the tool to determine its function, to me the tool is most useful by reporting everything within the realm of HTTPS transport.

Informing admins that they are out of compliance with a standard is just as useful as informing open standard bodies that their standards are less than ideal admins desire.

ArchangeGabriel commented 5 years ago

Duplicate of #636.

GottZ commented 4 years ago

well.. it is possible to get a perfect scan with TLSv1.3 but you'd need to change your openssl.cnf a little. see: https://www.ssllabs.com/ssltest/analyze.html?d=gottz.de

just put this above the first section in your /etc/ssl/openssl.cnf:

openssl_conf = default_conf

[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT@SECLEVEL=2
Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384

this requires a nginx restart. not just a reload.

oh and just a reminder: it's usually bad advice to tamper with openssl.cnf unless you really disagree with the spec

myfirstnameispaul commented 4 years ago

https://www.ssllabs.com/ssltest/analyze.html?d=gottz.de

Report includes:

Experimental: This server supports TLS 1.3 (RFC 8446).

TLS 1.3 (server has no preference) TLS_AES_256_GCM_SHA384 (0x1302) ECDH secp384r1 (eq. 7680 bits RSA) FS | 256 TLS_CHACHA20_POLY1305_SHA256 (0x1303) ECDH secp384r1 (eq. 7680 bits RSA) FS | 256

RFC 8446 states:

A TLS-compliant application MUST implement the TLS_AES_128_GCM_SHA256 [GCM] cipher suite and SHOULD implement the TLS_AES_256_GCM_SHA384 [GCM] and TLS_CHACHA20_POLY1305_SHA256 [RFC8439] cipher suites (see Appendix B.4).

This seems to be exploiting a bug in the test.

ArchangeGabriel commented 4 years ago

It does stat This server does not support the mandatory cipher suite TLS_AES_128_GCM_SHA256 for TLS 1.3. See RFC 8446 for details. though, the issue is the other message.