Unable to get 100% score without violating TLS 1.3 spec?
qwertychouskie opened this issue · comments
As per https://serverfault.com/a/1033444:
Nginx doesn't support configuring TLS 1.3 cipher suites like this, and you shouldn't, as per RFC 8446, 9.1 there are Mandatory-to-Implement Cipher Suites.
A TLS-compliant application MUST implement the
TLS_AES_128_GCM_SHA256
[GCM] cipher suite and SHOULD implement theTLS_AES_256_GCM_SHA384
[GCM] andTLS_CHACHA20_POLY1305_SHA256
[RFC8439] cipher suites (see Appendix B.4).
Either this limitation should be documented somewhere, or an exception should be added for TLS_AES_128_GCM_SHA256
to not lower the score.