Open HX-Technology-LLC opened 2 years ago
It's possible to get 100 cipher strength with TLS 1.3 enabled, the key is to disable TLS_AES_128_GCM_SHA256 so that the only TLS1.3 ciphers enabled are TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256
technically this violates the current RFC but here's a secret, nothing bad actually happens (usually) when you violate an RFC
there are no RFC police, mostly nobody cares
to get an A+ (regardless of score) you must have both TLS 1.2 and 1.3 enabled, which plenty of people have complained about but they don't seem in a hurry to fix it
with only TLS 1.3, you can get 100 across the board and still get an A instead of an A+
if want Cipher Strength reach 100 score i must tun off tls1.3 and remove all the ciphers under 256 bits but tls1.3 do not support remove ciphers it can only change the order.it's unreasonable because tls1.3 encrypted server hello it is safer than use tls1.2 with 256bit cipher although it just use 128bit cipher