Encrypt-then-MAC extension test not working correctly

[hannob]

When I try to scan my own webpage - see https://tls-scanner.cs.uni-paderborn.de/report/hboeck.de I get a warning that it would not support the Encrypt-then-MAC extension:

 Encrypt-then-MAC extension support: FALSE (Score: -50) 

This server runs a pretty standard apache+openssl setup, and openssl enables the EtM extension by default if applicable. Apache does not disable it, so it should work. I can also see the extension if I manually connect to the server with TLS 1.3 disabled.

I have a guess why this check is not working: The EtM extension is not supported in TLS 1.3. It only applies to old CBC mode ciphers, and those are only supported in TLS <= 1.2. Possibly, TLS-Scanner is just checking the list of extensions it sees with a connection with TLS 1.3, and doesn't see it there.

[ic0ns]

You are right - that is pretty much what is happening. The Encrypt-then-MAC check should be a dedicated connection since we only need to exclusively offer cbc cipher suites.