TLS 1.3 and 100% on SSL Labs?

PUBLISHED ON NOV 18, 2019 — 200 words — NGINX , SECURITY , TLS

TL;DR: it is not possible to have TLS1.3 with Nginx and 100% on SSL Labs because of RFC 8446.

Activating TLS1.3 on Nginx.

Activating TLS1.3 on Nginx is quite straightforward using the ssl_protocols directive : ssl_protocols TLSv1.3 TLSv1.2;

Enters RFC 8446…

RFC 8446 (The Transport Layer Security (TLS) Protocol Version 1.3) and more specificaly chapter 9.1. (Mandatory-to-Implement Cipher Suites), states that : A TLS-compliant application MUST implement the TLS_AES_128_GCM_SHA256 [GCM] cipher suite and SHOULD implement the TLS_AES_256_GCM_SHA384 [GCM] and TLS_CHACHA20_POLY1305_SHA256 [RFC8439] cipher suites.

You have it : TLS_AES_**128**… Because SSL Labs require AES to be set at 256 for a perfect score, it is not possible to activate TLS1.3 AND have a 100% score on SSL Labs. This, unless you compile OPENSSL to drop AES128 for TLS1.3… Which is not the best idea because then you have to recompile everything at each and every patch…