ic0ns
commented
8 months ago You are right - that is pretty much what is happening. The Encrypt-then-MAC check should be a dedicated connection since we only need to exclusively offer cbc cipher suites.
Open hannob opened 8 months ago
ic0ns
commented
8 months ago You are right - that is pretty much what is happening. The Encrypt-then-MAC check should be a dedicated connection since we only need to exclusively offer cbc cipher suites.
When I try to scan my own webpage - see https://tls-scanner.cs.uni-paderborn.de/report/hboeck.de I get a warning that it would not support the Encrypt-then-MAC extension:
This server runs a pretty standard apache+openssl setup, and openssl enables the EtM extension by default if applicable. Apache does not disable it, so it should work. I can also see the extension if I manually connect to the server with TLS 1.3 disabled.
I have a guess why this check is not working: The EtM extension is not supported in TLS 1.3. It only applies to old CBC mode ciphers, and those are only supported in TLS <= 1.2. Possibly, TLS-Scanner is just checking the list of extensions it sees with a connection with TLS 1.3, and doesn't see it there.