Not reporting Key Exchange 100 score with EC 384 bits

[adrelanos]

https://www.ssllabs.com/ssltest/analyze.html?d=whonix.org

#650 (comment) @josephcsible

The key exchange score comes from the strength of the ephemeral key exchange and the strength of the public key. You need a 4096-bit RSA (or 384-bit ECC) key on your certificate to get 100%.

The server is already using EC 384 bits.

Bug: Still only a 90% Key Exchange score.

[josephcsible]

I wonder if it's your "Supported Named Groups" setting (currently "x25519, secp256r1, x448, secp521r1, secp384r1"). See if changing it to just "x448, secp521r1, secp384r1" helps.

[adrelanos]

Thank you for the suggestion!

Disable x25519? I cannot find anything negative on x25519. Why should that be disabled?

But arguments were made against secp / NIST.

By comparison, https://www.ssllabs.com/ssltest/analyze.html?d=dustri.org reports:

• Key Exchange: 100 % score
• HSTS Preloading: Not in: Chrome
• Supported Named Groups: secp384r1

In conclusion, bug

• HSTS Preloaded in all browsers but Chrome #897

is probably not preventing Key Exchange 100 score on my server.

[adrelanos]

nginx config.

ssl_ecdh_curve x25519:x448;

Causes ssllabs HTTP error.

I cannot find any TLS hardening documentation advising to change nginx config ssl_ecdh_curve or disabling any curves that are part of the TLSv1.3 standard.

I wonder if it's your "Supported Named Groups" setting (currently "x25519, secp256r1, x448, secp521r1, secp384r1"). See if changing it to just "x448, secp521r1, secp384r1" helps.

Did you mean try to disable secp256r1?

[adrelanos]

ssl_ecdh_curve x25519:x448:secp521r1:secp384r1:secp256r1;

or

ssl_ecdh_curve x25519:x448:secp521r1:secp384r1;

results in ssllabs:

Supported Named Groups x25519, x448, secp521r1, secp384r1 (server preferred order)

But still only Key Exchange 90% score.

---

https://serverfault.com/questions/877774/trying-to-get-100-in-ssllabs-com-key-exchange from 2017 is saying:

The rating guide doesnt say, but i was able to confirm that you cannot get rating 100 if your server prefers secp256v1 (equivalent to 3k bits RSA) while offering ECDHE ciphers that could be using secp384v1 (equivalent to 7k bits RSA).

But it seems that might have changed meanwhile or it's a different issue.

[adrelanos]

Do you know any server on the internet that is using EC 384 bits (SHA384withECDSA) that has Key Exchange 100% score on ssllabs?

[ArchangeGabriel]

I’m also against disabling x25519, but if you want to score 100 % on SSL Labs you will need to. Indeed, it’s a ~256bits curve, so SSL Labs grad it 90 %, but that is pointless.

[josephcsible]

Did you mean try to disable secp256r1?

I meant try to disable both x25519 and secp256r1.

[adrelanos]

I don't want to do this for the sake of Key Exchange 100% score at ssllabs. At least not without a strong rationale such as x25519 and/or secp256r1 being considered weak, which doesn't seem to exist at this point.

ssllabs would need to provide guidance (if that is their opinion, what I doubt) or fix this bug (seems like a bug, appropriate to fix).

However, it seems like there's a lot of issues posted on this ssllabs issue tracker for some time now with little to zero replies or action from ssllabs. So it seems kinda deprecated. Hope to be wrong on this one as it would be sad to see ssllabs becoming less useful over time.

[josephcsible]

I think they want a 256-bit security level to give you a 100%, but those only have 128-bit security levels.

[cmason3]

It is impossible to achieve 100% if using TLS 1.3 as the standard mandates that you enable support for AES-128 (TLS_AES_128_GCM_SHA256). Just because you can’t achieve 100% doesn’t mean it isn’t a secure setup - it is still classified as A+. Disabling x25519 Key Exchange just to achieve 100% would be a bad idea.

[josephcsible]

It is impossible to achieve 100% if using TLS 1.3 as the standard mandates that you enable support for AES-128

Just because the standard says something is mandatory doesn't mean you can't turn it off anyway. Plenty of Web servers will let you do so. Also consider that the TLS 1.2 standard mandates you enable support for TLS_RSA_WITH_AES_128_CBC_SHA.

[adrelanos]

Chris Mason:

It is impossible to achieve 100% if using TLS 1.3 as the standard mandates that you enable support for AES-128.

These have already been disabled.

[catharsis71]

I've done a lot of experimentation with the scanner & identified the most permissive set of ciphers and curves that will still earn all 100%

these are in Apache format but it shouldn't be a big deal to convert for other webservers

SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-CCM:DHE-RSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES256-CCM8:DHE-RSA-ARIA256-GCM-SHA384:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ARIA256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:brainpoolP512r1:sect409r1:sect409k1:brainpoolP384r1:secp384r1:X448

[TommieGoldhammer]

Do you know any server on the internet that is using EC 384 bits (SHA384withECDSA) that has Key Exchange 100% score on ssllabs?

Yes, here is my test-domain using EC384 and 100% score on everything and A+: https://www.ssllabs.com/ssltest/analyze.html?d=goldhammer.se

I wrote an article about the configuration some months ago:
https://www.linkedin.com/pulse/configuring-pfsense-firewall-haproxy-maximum-security-goldhammer/

[adrelanos]

Do you know any server on the internet that is using EC 384 bits (SHA384withECDSA) that has Key Exchange 100% score on ssllabs?

Yes, here is my test-domain using EC384 and 100% score on everything and A+: https://www.ssllabs.com/ssltest/analyze.html?d=goldhammer.se

Confirmed. Using:
Supported Named Groups: secp384r1