-
Notifications
You must be signed in to change notification settings - Fork 239
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to get 100% score without violating TLS 1.3 spec? #928
Comments
Interesting that NGINX doesn't allow that... Apache absolutely does. In reality, (usually) nothing bad happens if you "break" an RFC, assuming you test thoroughly to ensure you're not losing any compatibility. I've had TLS_AES_128_GCM_SHA256 disabled in Apache on multiple servers for years and it has caused zero problems or compatibility issues. They're Requests For Comments not actual laws and they aren't necessarily kept up-to-date with current security practices. Sometimes it's a choice between security and RFC-compliance and the correct answer is usually "it depends" |
The bit on nginx is quite outdated as setting them is definitively possible now using |
even if nginx doesnt allow it (which was the case when i looked into it) you can just configure it in your |
nginx configuration for disabling 128 bit ciphers:
credits: |
As per https://serverfault.com/a/1033444:
Either this limitation should be documented somewhere, or an exception should be added for
TLS_AES_128_GCM_SHA256
to not lower the score.The text was updated successfully, but these errors were encountered: