InCommon Baseline TLS 1.2
Brent.Goebel at du.edu
Wed Jun 30 21:41:33 UTC 2021
Thanks for the feedback. The SSLLabs grading had my cipher suites at a grade level of an ‘A.’ I understand other areas play a part in the grading, but the TLS is one that stuck out the most. My guess is I won’t score an A until I address that one in addition to any other areas noted as lower than an A with their scoring.
So have you updated your IdP to use TLS 1.2 and above? Did you see any issue with doing so for your IdP for your applications using your IdP for SSO?
Which webserver are you running? I’m running Jetty so if you have any insight on how you modified it that would be helpful as well. I started looking around and some say to modify jetty-ssl.xml to ‘ExcludeProtocols’ for 1.0 and 1.1 while another site said to update jetty-https.xml.
Thanks again for your feedback and help.
From: users <users-bounces at shibboleth.net> On Behalf Of IAM David Bantz
Sent: Wednesday, June 30, 2021 3:32 PM
To: Shib Users <users at shibboleth.net>
Subject: [EXTERNAL] RE: InCommon Baseline TLS 1.2
[External Email From]: users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>
TLS 1.0 (1999) and TLS 1.1 (2006) are formally deprecated by IETF RFC 8996.
These versions lack support for current and recommended cryptographic algorithms and mechanisms, and various government and industry profiles of applications using TLS now mandate avoiding these old TLS versions. TLS version 1.2 became the recommended version for IETF protocols in 2008...
Web sites that negotiate a TLS 1.0 or 1.1 protocol will trigger user warnings that connections are “not secure” from Chrome and other browsers.
IMO Yes, you really should regard those older protocols as a security risk and update to support TLS 1.2 or 1.3. There are some niche needs for the older protocols to support legacy devices that cannot support newer secure TLS, but you can support legacy clients such as IE 11 and Android 5 using TLS 1.2.
Note that the SSLLabs grading is not directly translatable into support for TLS versions. You can disable support for anything less than TLS 1.2 and still get a “grade” of B from SSLLabs if the server negotiates weak cipher suites.
David St. Pierre Bantz
On 30Jun, 2021 at 12:11:44, Brent Goebel <Brent.Goebel at du.edu<mailto:Brent.Goebel at du.edu>> wrote:
I’m following the InCommon Baseline Expectations 2 that is required for our IdPs. I see that one of the requirements is related to encryption. Link here: https://spaces.at.internet2.edu/display/federation/be2-guide-encrypt-endpoints<https://urldefense.com/v3/__https:/spaces.at.internet2.edu/display/federation/be2-guide-encrypt-endpoints__;!!NCZxaNi9jForCP_SxBKJCA!HSPx7AFH-vR_C-tv_jAP6QOcC4Fdu0En_G5YRrLa1wk2xhO_j9e5Mk0bcpIygh3YOQ$>
When I run the SSLLab Server Test on our IdP domain I get a score of a B. They require a score of an A or higher. I am getting a B because we support TLS 1.1. It seems like in order to get a higher score I need to not support TLS 1.0 and 1.1 and start supporting TLS 1.2.
Looking through the Shibboleth user group I saw one conversation where some participants did not agree with InCommon on this requirement (attached). That was back in March 2021 so I wanted to start a new conversation on this.
What are your thoughts or plans with this? I wanted to reach out and see what everyone is doing in regards to this. Are you all moving to TLS 1.2 to score an ‘A’? Or are you just staying at a score of a ‘B’ for this and moving on? Any concerns you have with moving an IdP from TLS 1.0/1.1 to TLS 1.2?
InCommon wants this all done by mid-July so I’m thinking some of you already started this.
Systems Engineer III
Information Technology ‖ University of Denver
2100 South High Street ‖ Denver CO 80210
brent.goebel at du.edu<mailto:brent.goebel at du.edu>
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg<https://urldefense.com/v3/__https:/wiki.shibboleth.net/confluence/x/coFAAg__;!!NCZxaNi9jForCP_SxBKJCA!HSPx7AFH-vR_C-tv_jAP6QOcC4Fdu0En_G5YRrLa1wk2xhO_j9e5Mk0bcpIq3YS0Rw$>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 6262 bytes
More information about the users