Fixs1.1 rc1 merge cipher list into main #1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Initial version of CipherList as extracted from V1.0 specification
CBC and SHA1 are deprecated for TLS1.2 and above. Also added revision table to log key updates
|
@nhorlock you are ahead of the game! We do not have a markdown version of FIXS yet. The first one will be v1.1 RC1. I will leave out the cipher list in order to then merge your request into the main branch when there is a markdown version for the v1.1 RC1 spec. |
|
No problem, this can be a standalone file without the MD but hopefully we
can move to an MD form of the RC1 after the meeting this week
…On Mon, 15 Feb 2021 at 14:45, Hanno Klein ***@***.***> wrote:
@nhorlock <https://github.com/nhorlock> you are ahead of the game! We do
not have a markdown version of FIXS yet. The first one will be v1.1 RC1. I
will leave out the cipher list in order to then merge your request into the
main branch when there is a markdown version for the v1.1 RC1 spec.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AATWGASRCQIZGAR7XHMN7G3S7EXRHANCNFSM4XUWGHYQ>
.
|
kleihan
requested changes
Mar 11, 2021
chrjohn
reviewed
Mar 22, 2021
| | Version | Note | ||
| |---------|------ | ||
| | Initial | First commit, replicates FIXS V1.0 text | ||
| | 2021.1 | Updated to remove CBC and SHA1 as these deprecated for use with TLS1.2 and above. |
There was a problem hiding this comment.
Suggested change
| | 2021.1 | Updated to remove CBC and SHA1 as these deprecated for use with TLS1.2 and above. | |
| | 2021.1 | Updated to remove CBC and SHA1 as these are deprecated for use with TLS1.2 and above. |
chrjohn
reviewed
Mar 22, 2021
|
|
||
| ### Authentication | ||
| #### TLS Certificate Authentication | ||
| The following cipher suite list when using certificates for authentication. This includes using certificates in Simple TLS in conjunction with FIXA. The list ensures Forward Secrecy, avoids deprecated ciphers and should achieve good performance. The cipher suites are specified in our order of preference, starting with the most preferred cipher suite. |
There was a problem hiding this comment.
The following cipher suite list when using certificates for authentication.
I am sure there is something missing between "list" and "when". Maybe "should be used" or "should be considered" or "is recommended"?
chrjohn
reviewed
Mar 22, 2021
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ||
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | ||
| ``` | ||
| This list matches what is recommended as best practice from SSL Labs currently (November 2016), except we have given preference to performance of the TLS Record Protocol rather than the TLS Handshake Protocol's performance. The list should be used in conjunction with Session Caching. |
There was a problem hiding this comment.
Maybe omit the word "currently" in conjunction with November 2016. :)
chrjohn
reviewed
Mar 22, 2021
| ``` | ||
| This list matches what is recommended as best practice from SSL Labs currently (November 2016), except we have given preference to performance of the TLS Record Protocol rather than the TLS Handshake Protocol's performance. The list should be used in conjunction with Session Caching. | ||
|
|
||
| The list details ECDSA certificate cipher suites followed by RSA certificate ones. It is possible to support both an ECDSA certificate and a RSA certificate at an end point, but only one certificate can be used at a time. In practice, only one kind of certificate is needed. Thus, if you are using an RSA certificate, the ECDSA cipher suites will be ignored so they can be omitted. Likewise, the RSA cipher suites will be ignored and can be omitted for an ECDSA certificate. |
There was a problem hiding this comment.
Suggested change
| The list details ECDSA certificate cipher suites followed by RSA certificate ones. It is possible to support both an ECDSA certificate and a RSA certificate at an end point, but only one certificate can be used at a time. In practice, only one kind of certificate is needed. Thus, if you are using an RSA certificate, the ECDSA cipher suites will be ignored so they can be omitted. Likewise, the RSA cipher suites will be ignored and can be omitted for an ECDSA certificate. | |
| The list details ECDSA certificate cipher suites followed by RSA certificate ones. It is possible to support both an ECDSA certificate and an RSA certificate at an end point, but only one certificate can be used at a time. In practice, only one kind of certificate is needed. Thus, if you are using an RSA certificate, the ECDSA cipher suites will be ignored so they can be omitted. Likewise, the RSA cipher suites will be ignored and can be omitted for an ECDSA certificate. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is the initial version plus first revision of the cipherlist as extracted from the FIXS specification.
This contains the externalised cipher list and has been updated to remove ciphers that have been deprecated since it was first created (CBC and SHA1)
It does not add new ciphers listed on IANA,