Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FAPI 2.0: enforce TLS 1.2 and specific ciphers #327

Closed
paulswartz opened this issue Jan 7, 2024 · 0 comments · Fixed by #328
Closed

FAPI 2.0: enforce TLS 1.2 and specific ciphers #327

paulswartz opened this issue Jan 7, 2024 · 0 comments · Fixed by #328
Labels
enhancement help wanted

Comments

@paulswartz
Copy link
Collaborator

paulswartz commented Jan 7, 2024
edited
Loading

Description

Description

From FAPI 2.0 Security Profile:

shall only offer TLS protected endpoints and shall establish connections to other servers using TLS. TLS connections shall be set up to use TLS version 1.2 or later.

when using TLS 1.2, follow the recommendations for Secure Use of Transport Layer Security in [RFC7525].

shall perform a TLS server certificate check, as per [RFC6125].

when using TLS 1.2, the client should only permit the cipher suites listed in Section 5.2.2.1
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

As a part of this, we may also want to set better defaults for httpc: right now, I don't believe it's server certificates unless the client provides separate SSL configuration. This was the case in OTP 25, but OTP 26 (required) has safe defaults.
@paulswartz paulswartz mentioned this issue Jan 8, 2024
Merged
@paulswartz paulswartz linked a pull request Jan 8, 2024 that will close this issue
tls_client_auth #328
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

tls_client_auth paulswartz/oidcc
1 participant
@paulswartz