Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL Labs: How to improve Cipher Strength in TLS 1.3? #602

Closed
McKinleyGroup opened this issue Apr 16, 2018 · 6 comments
Closed

SSL Labs: How to improve Cipher Strength in TLS 1.3? #602

McKinleyGroup opened this issue Apr 16, 2018 · 6 comments

Comments

@McKinleyGroup
Copy link

I got an A+ grading:

image

Certificate 100%
Protocol Support 100%
Key Exchange 90%
Cipher Strength 90%

Any tips on how to improve Key Exchange & Cipher Strength. Especially Cipher Strength in TLS 1.3 with AEAD isn't so well documented yet.

What do I need to do to get Key Exchange from 90% up to 100%?
What do I need to do to get Cipher Strength from 90% up to 100%?

Thank you for some insightful hints and tips! :-)
@m-terlinde
Copy link

Dear Anna,

I don't think this is the right platform for your request, since this is just the repo for the API reference implementation.
You'll find all needed information in the grading documentation.

But I'll wrap it up for you:
Key Exchange 100%: Key or DH paramenter strength >= 4096 bits
Cipher Strength 100%: key size >= 256 bits

If this answers your question feel free to close this issue :).

@bhushan5640
Copy link
Contributor

This the forum for all such questions. You will get better responses there
https://community.qualys.com/community/ssllabs

@McKinleyGroup
Copy link
Author

Dear bhushan5640:
Dear m-terlinde:

Thanks to both of you for your kind and helpful answers!

You'll find all needed information in the grading documentation.
https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide

That's the most useful guide so far. However, it doesn't answer the question on how to push Key Exchange and Cipher Strength beyond the mark of 90%! :-)

Key Exchange 100%: Key or DH paramenter strength >= 4096 bits
Cipher Strength 100%: key size >= 256 bits

That answer was to the point and very helpful! I did that as far as I could!

https://www.ssllabs.com/ssltest/analyze.html?d=www.cloudinsidr.com&latest

  1. The Certificate Spelling mistake #1: RSA 4096 bits is already 4096 bit!
  2. The Let's Encrypt Certificate is RSA 2048, however I can't really change that...

@bhushan5640 The Let's Encrypt Certificate is RSA 2048! That's up to Let's Encrypt to change!

Cipher Strength 100%: key size >= 256 bits - I'll gonna try that. Maybe it works...

Thanks a lot!

@ArchangeGabriel
Copy link

You’re confusing Key Exchange (KEX) and certificate signature.

To have a KEX of >= 4096, you have to use either DHE with DH parameters of 4096 bits or above, or ECDHE and a curve that is at least 256 bits-equivalent (that is, not secp256 or 384 but 521, and not X25519 but X448). With elliptic curves this is hard to do, because such high bits elliptic curves are not widely supported.

For cipher strength, that means you must disable cipher with AES_128 in their name. Also, this is not related, but you should disable CBC ciphers.

@McKinleyGroup
Copy link
Author

Thanks ArchangeGabriel ! :-)

@davidfavor
Copy link

You mentioned, "The Let's Encrypt Certificate is RSA 2048, however I can't really change that..."

This is easy to change, just generate a 4096 bit cert.

@ArchangeGabriel ArchangeGabriel mentioned this issue Jul 23, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@davidfavor @ArchangeGabriel @McKinleyGroup @bhushan5640 @m-terlinde