j***@esilo.com
2018-05-22 20:25:48 UTC
Hello. I am attempting to implement stunnel wrapper to HTTP to support only TLS 1.3 and 1.2 in order to get the best score at ssllabs.com. I downloaded and installed the 5.45 released 21st May 2018 and TLS 1.3 works with the nightly build of firefox but I am having trouble getting TLS 1.3 to work with browsers that support it but also support TLS 1.2 for older ones, while maintaining an A+ score on ssllabs.com.
My configuration is:
...
sslVersion = all
options = NO_SSLv3
options = NO_TLSv1
ciphers = TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:CHACHA20-POLY1305-SHA256:AES-256-GCM-SHA384
...
But the test indicates:
* That the server does not support TLS 1.3, and
* The server does not support Forward Secrecy with the reference browsers. Grade capped to B
... even though Firefox nightly does indicate that it was able to use TLS 1.3.
Any thoughts on how to configure the sslVersion, options, and ciphers to get a grade A and support both TLS 1.3 and 1.2 ?
My configuration is:
...
sslVersion = all
options = NO_SSLv3
options = NO_TLSv1
ciphers = TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:CHACHA20-POLY1305-SHA256:AES-256-GCM-SHA384
...
But the test indicates:
* That the server does not support TLS 1.3, and
* The server does not support Forward Secrecy with the reference browsers. Grade capped to B
... even though Firefox nightly does indicate that it was able to use TLS 1.3.
Any thoughts on how to configure the sslVersion, options, and ciphers to get a grade A and support both TLS 1.3 and 1.2 ?