[BlueOnyx:22954] BlueOnyx 5210R TLSv1.3 support
Michael Stauber
mstauber at blueonyx.it
Tue Jun 18 20:56:56 -05 2019
Hi all,
I'm currently locking down the SSL protocols and ciphers for BlueOnyx
5210R in Apache and Nginx.
The good news is: TLSv1.3 does indeed work with the Apache 2.4.35 that
ships with RHEL8. They must have backported the missing elements from
Apache 2.4.36, which officially is the first version of Apache where
TLSv1.3 ought to work. The included OpenSSL-1.1.1 is also (barely) good
enough for TLSv1.3.
Below is a preliminary SSL-Labs check for HTTPS on 5210R with the stock
Apache 2.4.35:
https://www.ssllabs.com/ssltest/analyze.html?d=5210r.smd.net&hideResults=on
The result for the included Nginx SSL proxy is identical except for one
minor detail: Under TLSv1.3 the CHACHA20_POLY1305 cipher is in 2nd place
and not in first place.
Question:
==========
As you can see in the URL above, the following browsers are no longer
supported:
- IE 11 / Win Phone 8.1
- Safari 6 / iOS 6.0.1
- Safari 7 / iOS 7.1
- Safari 7 / OS X 10.9
- Safari 8 / iOS 8.4
- Safari 8 / OS X 10.10
The best available cipher that these support would be this:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
And that uses the "weak" CBC mechanism, which we might want to avoid.
Does anyone have objections for no longer supporting these older
browsers via HTTPS? Or do we still need to drag them along?
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list