search

ssllabs / ssllabs-scan

A command-line reference-implementation client for SSL Labs APIs, designed for automated and/or bulk testing.
https://www.ssllabs.com/projects/ssllabs-apis/
Apache License 2.0
1.7k stars 241 forks source link

if open tls1.3 the Cipher Strength is up to 90 it's unreasonable #882

Open HX-Technology-LLC opened 2 years ago

HX-Technology-LLC commented 2 years ago

if want Cipher Strength reach 100 score i must tun off tls1.3 and remove all the ciphers under 256 bits but tls1.3 do not support remove ciphers it can only change the order.it's unreasonable because tls1.3 encrypted server hello it is safer than use tls1.2 with 256bit cipher although it just use 128bit cipher

catharsis71 commented 2 years ago

It's possible to get 100 cipher strength with TLS 1.3 enabled, the key is to disable TLS_AES_128_GCM_SHA256 so that the only TLS1.3 ciphers enabled are TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256

technically this violates the current RFC but here's a secret, nothing bad actually happens (usually) when you violate an RFC

there are no RFC police, mostly nobody cares

to get an A+ (regardless of score) you must have both TLS 1.2 and 1.3 enabled, which plenty of people have complained about but they don't seem in a hurry to fix it

with only TLS 1.3, you can get 100 across the board and still get an A instead of an A+