Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Servers out of compliance with RFC 8446 reported as in compliance. #668

Closed
myfirstnameispaul opened this issue Nov 27, 2018 · 5 comments

Comments

@myfirstnameispaul
Copy link

commented Nov 27, 2018

Servers without the TLS_AES_128_GCM_SHA256 cipher suite are not reported as being out of compliance with RFC8446.

8446not8446

9.1. Mandatory-to-Implement Cipher Suites

In the absence of an application profile standard specifying
otherwise:

A TLS-compliant application MUST implement the TLS_AES_128_GCM_SHA256
[GCM] cipher suite and SHOULD implement the TLS_AES_256_GCM_SHA384
[GCM] and TLS_CHACHA20_POLY1305_SHA256 [RFC8439] cipher suites (see
Appendix B.4).

@myfirstnameispaul myfirstnameispaul changed the title Servers out of compliance with RFC 8446 not reported Servers out of compliance with RFC 8446 reported as in compliance. Dec 2, 2018

@tamthing

This comment has been minimized.

Copy link

commented Dec 5, 2018

@myfirstnameispaul Thank you for reporting. We would look into the issue.

@tamthing

This comment has been minimized.

Copy link

commented Jan 25, 2019

This has now been fixed on version 1.32.15.

@tamthing tamthing closed this Jan 25, 2019

@hotaru2k3

This comment has been minimized.

Copy link

commented Jan 26, 2019

does it really make sense to report this without also reporting when a server doesn't support the mandatory cipher suite for other protocol versions?

TLS 1.2:

9. Mandatory Cipher Suites
In the absence of an application profile standard specifying
otherwise, a TLS-compliant application MUST implement the cipher
suite TLS_RSA_WITH_AES_128_CBC_SHA (see Appendix A.5 for the
definition).

TLS 1.1:

9. Mandatory Cipher Suites
In the absence of an application profile standard specifying
otherwise, a TLS compliant application MUST implement the cipher
suite TLS_RSA_WITH_3DES_EDE_CBC_SHA.

TLS 1.0:

9. Mandatory Cipher Suites
In the absence of an application profile standard specifying
otherwise, a TLS compliant application MUST implement the cipher
suite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA.

@myfirstnameispaul

This comment has been minimized.

Copy link
Author

commented Jan 27, 2019

@hotaru2k3 Open a ticket.

@josephcsible

This comment has been minimized.

Copy link

commented Feb 1, 2019

Fixing this caused bug #684.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.