Some background reading I'm doing on future requirements to conform to TLS 1.3:
https://csrc.nist.gov/CSRC/media/Publications/sp/800-52/rev-2/draft/documents/sp800-52r2-draft.pdf
From November 15, 2017
https://csrc.nist.gov/News/2017/NIST-Releases-Draft-SP-800-52-Rev-2-for-public-co
"NIST announces the public comment release of Draft Special Publication 800-52 Revision 2, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. Transport Layer Security (TLS) provides mechanisms to protect data during electronic dissemination across the Internet. This Special publication provides guidance to the selection and configuration of TLS protocol implementations while making effective use of Federal Information Processing Standards (FIPS) and NIST recommended cryptographic algorithms. It requires that TLS 1.2 configured with FIPS-based cipher suites be supported by all government TLS servers and clients and recommends that agencies develop migration plans to support TLS 1.3 by January 1, 2020. This Special Publication also provides guidance on certificates and TLS extensions that impact security."
Note the pdf of comments received:
- https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/draft
- https://csrc.nist.gov/CSRC/media/Publications/sp/800-52/rev-2/draft/documents/sp800-52r2-draft-comments-received.pdf
- See the review comments, in particular:
- Chary Chapinksi: "19. §3.3.1 contains cipher suites which appear in the RFC 7540 blacklist."
- NSA: "3. page iii, lines 142-143, page iv, lines 170-171: There should be absolutely no plan to deprecate TLS1.2. In fact in the case where static RSA is required, those use cases should stay on TLS1.2. I do agree that TLS 1.3 should be supported, but don't give the impression that TLS1.2 is being deprecated by saying 'migration plan'. Or add a clarifying sentence/phrase stating that TLS1.2 will be acceptable in the long term."
Note that Revision 1 was release in April 2014
References:
- RFC-5245 The Transport Layer Security (TLS) Protocol Version 1.2
- RFC-8120 Mutual Authentication Protocol for HTTP (Experimental) [April 2017]
- https://tools.ietf.org/id/draft-ietf-oauth-mtls-07.html [January 30, 2018]
- https://tools.ietf.org/html/draft-ietf-oauth-mtls-07 [January 29, 2018]
- RFC-7540 -Hypertext Transfer Protocol Version 2 (HTTP/2) - Appendix A. TLS 1.2 Cipher Suite Black List
TLS Basics:
- https://en.wikipedia.org/wiki/Transport_Layer_Security
- http://www.zytrax.com/tech/survival/ssl.html#ssl
- https://docs.microsoft.com/en-us/windows-server/security/tls/tls-ssl-schannel-ssp-overview
- https://blog.talpor.com/2015/07/ssltls-certificates-beginners-tutorial/
- https://dzone.com/articles/tls-security-tlsssl-explained
- https://dzone.com/articles/tlsssl-terminology-and-basics
- https://dzone.com/articles/tlsssl-certificates-part-4
Creating Self-Signed TLS Certificates:
- https://www.openssl.org/
- https://dzone.com/articles/create-a-self-signed-ssl-certificate-using-openssl
- https://www.linode.com/docs/security/ssl/create-a-self-signed-tls-certificate/
- https://www.ibm.com/support/knowledgecenter/en/SSWHYP_4.0.0/com.ibm.apimgmt.cmc.doc/task_apionprem_gernerate_self_signed_openSSL.html
- https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04
- https://devcenter.heroku.com/articles/ssl-certificate-self
Configuring TLS Mutual Authentication:
- https://en.wikipedia.org/wiki/Mutual_authentication
- http://blog.fourthbit.com/2014/12/23/traffic-analysis-of-an-ssl-slash-tls-session
- https://docs.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth
Youtube F5 DevCentral: Explaining TLS 1.3
Youtube F5 DevCentral: TLS 1.3 Handshake
No comments:
Post a Comment