InCommon Baseline TLS 1.2
IAM David Bantz
dabantz at alaska.edu
Wed Jun 30 21:32:20 UTC 2021
TLS 1.0 (1999) and TLS 1.1 (2006) are formally deprecated by IETF RFC 8996.
These versions lack support for current and recommended cryptographic
algorithms and mechanisms, and various government and industry
profiles of applications using TLS now mandate avoiding these old TLS
versions. TLS version 1.2 became the recommended version for IETF
protocols in 2008...
Web sites that negotiate a TLS 1.0 or 1.1 protocol will trigger user
warnings that connections are “not secure” from Chrome and other browsers.
IMO Yes, you really should regard those older protocols as a security risk
and update to support TLS 1.2 or 1.3. There are some niche needs for the
older protocols to support legacy devices that cannot support newer secure
TLS, but you can support legacy clients such as IE 11 and Android 5 using
TLS 1.2.
Note that the SSLLabs grading is not directly translatable into support for
TLS versions. You can disable support for anything less than TLS 1.2 and
still get a “grade” of B from SSLLabs if the server negotiates weak cipher
suites.
David St. Pierre Bantz
On 30Jun, 2021 at 12:11:44, Brent Goebel <Brent.Goebel at du.edu> wrote:
> Hello all,
>
>
>
> I’m following the InCommon Baseline Expectations 2 that is required for
> our IdPs. I see that one of the requirements is related to encryption. Link
> here:
> https://spaces.at.internet2.edu/display/federation/be2-guide-encrypt-endpoints
>
>
>
> When I run the SSLLab Server Test on our IdP domain I get a score of a B.
> They require a score of an A or higher. I am getting a B because we support
> TLS 1.1. It seems like in order to get a higher score I need to not support
> TLS 1.0 and 1.1 and start supporting TLS 1.2.
>
>
>
> Looking through the Shibboleth user group I saw one conversation where
> some participants did not agree with InCommon on this requirement
> (attached). That was back in March 2021 so I wanted to start a new
> conversation on this.
>
>
>
> What are your thoughts or plans with this? I wanted to reach out and see
> what everyone is doing in regards to this. Are you all moving to TLS 1.2 to
> score an ‘A’? Or are you just staying at a score of a ‘B’ for this and
> moving on? Any concerns you have with moving an IdP from TLS 1.0/1.1 to TLS
> 1.2?
>
>
>
> InCommon wants this all done by mid-July so I’m thinking some of you
> already started this.
>
>
>
> Thanks,
>
>
>
> Brent
>
>
>
> *Brent Goebel*
>
> Systems Engineer III
>
> Information Technology ‖ University of Denver
>
> 2100 South High Street ‖ Denver CO 80210
>
> brent.goebel at du.edu
>
>
>
> [image: DULogo_IT]
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210630/90e71add/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 6262 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20210630/90e71add/attachment.jpg>
More information about the users
mailing list