InCommon Baseline TLS 1.2

Andrew Jason Morgan morgan at oregonstate.edu
Wed Jun 30 22:48:11 UTC 2021 

Hi Brent,

We (Oregon State University) removed TLS 1.0 and 1.1 from our IDP earlier this year (slight caveat below).  There were zero issues with SAML because we don't support back-channel (Attribute Query) for SAML.  All of our end-users' browsers were already using TLS 1.2.

We did run into trouble with legacy (old, unsupported) servers making CAS ticket validation requests, a kind of back-channel request.  I cloned off an instance of our IDP, firewalled it down to just those legacy servers, and left it with TLS 1.0 enabled.  I'll turn it off once the legacy hosts have been retired (which is in progress already).

Do you have any back-channel services?  Have you turned on protocol logging to see which hosts, if any, are using TLS 1.0 or 1.1?

Thanks,
Andy


________________________________
From: users <users-bounces at shibboleth.net> on behalf of Brent Goebel <Brent.Goebel at du.edu>
Sent: Wednesday, June 30, 2021 2:41 PM
To: Shib Users <users at shibboleth.net>
Subject: RE: RE: InCommon Baseline TLS 1.2


[This email originated from outside of OSU. Use caution with links and attachments.]

David,



Thanks for the feedback. The SSLLabs grading had my cipher suites at a grade level of an ‘A.’ I understand other areas play a part in the grading, but the TLS is one that stuck out the most. My guess is I won’t score an A until I address that one in addition to any other areas noted as lower than an A with their scoring.



So have you updated your IdP to use TLS 1.2 and above? Did you see any issue with doing so for your IdP for your applications using your IdP for SSO?



Which webserver are you running? I’m running Jetty so if you have any insight on how you modified it that would be helpful as well. I started looking around and some say to modify jetty-ssl.xml to ‘ExcludeProtocols’ for 1.0 and 1.1 while another site said to update  jetty-https.xml.





Thanks again for your feedback and help.



Best,



Brent



From: users <users-bounces at shibboleth.net> On Behalf Of IAM David Bantz
Sent: Wednesday, June 30, 2021 3:32 PM
To: Shib Users <users at shibboleth.net>
Subject: [EXTERNAL] RE: InCommon Baseline TLS 1.2



[External Email From]: users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>



TLS 1.0 (1999) and TLS 1.1 (2006) are formally deprecated by IETF RFC 8996.

These versions lack support for current and recommended cryptographic algorithms and mechanisms, and various government and industry profiles of applications using TLS now mandate avoiding these old TLS versions. TLS version 1.2 became the recommended version for IETF protocols in 2008...

Web sites that negotiate a TLS 1.0 or 1.1 protocol will trigger user warnings that connections are “not secure” from Chrome and other browsers.



IMO Yes, you really should regard those older protocols as a security risk and update to support TLS 1.2 or 1.3. There are some niche needs for the older protocols to support legacy devices that cannot support newer secure TLS, but you can support legacy clients such as IE 11 and Android 5 using TLS 1.2.



Note that the SSLLabs grading is not directly translatable into support for TLS versions. You can disable support for anything less than TLS 1.2 and still get a “grade” of B from SSLLabs if the server negotiates weak cipher suites.



David St. Pierre Bantz



On 30Jun, 2021 at 12:11:44, Brent Goebel <Brent.Goebel at du.edu<mailto:Brent.Goebel at du.edu>> wrote:

Hello all,



I’m following the InCommon Baseline Expectations 2 that is required for our IdPs. I see that one of the requirements is related to encryption. Link here: https://spaces.at.internet2.edu/display/federation/be2-guide-encrypt-endpoints<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fspaces.at.internet2.edu%2Fdisplay%2Ffederation%2Fbe2-guide-encrypt-endpoints__%3B!!NCZxaNi9jForCP_SxBKJCA!HSPx7AFH-vR_C-tv_jAP6QOcC4Fdu0En_G5YRrLa1wk2xhO_j9e5Mk0bcpIygh3YOQ%24&data=04%7C01%7C%7Cc2bbe9a2bda84800c77108d93c0fda36%7Cce6d05e13c5e4d6287a84c4a2713c113%7C0%7C0%7C637606861054717428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=9ImkoJAUxxRwOtwO2nB2Acn2cfOcJ%2FGNmvJcpEu2hWA%3D&reserved=0>



When I run the SSLLab Server Test on our IdP domain I get a score of a B. They require a score of an A or higher. I am getting a B because we support TLS 1.1. It seems like in order to get a higher score I need to not support TLS 1.0 and 1.1 and start supporting TLS 1.2.



Looking through the Shibboleth user group I saw one conversation where some participants did not agree with InCommon on this requirement (attached). That was back in March 2021 so I wanted to start a new conversation on this.



What are your thoughts or plans with this? I wanted to reach out and see what everyone is doing in regards to this. Are you all moving to TLS 1.2 to score an ‘A’? Or are you just staying at a score of a ‘B’ for this and moving on? Any concerns you have with moving an IdP from TLS 1.0/1.1 to TLS 1.2?



InCommon wants this all done by mid-July so I’m thinking some of you already started this.



Thanks,



Brent



Brent Goebel

Systems Engineer III

Information Technology ‖  University of Denver

2100 South High Street ‖ Denver CO 80210

brent.goebel at du.edu<mailto:brent.goebel at du.edu>



[DULogo_IT]



--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fwiki.shibboleth.net%2Fconfluence%2Fx%2FcoFAAg__%3B!!NCZxaNi9jForCP_SxBKJCA!HSPx7AFH-vR_C-tv_jAP6QOcC4Fdu0En_G5YRrLa1wk2xhO_j9e5Mk0bcpIq3YS0Rw%24&data=04%7C01%7C%7Cc2bbe9a2bda84800c77108d93c0fda36%7Cce6d05e13c5e4d6287a84c4a2713c113%7C0%7C0%7C637606861054727425%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=szpA3Pdx25T9YdiQE9t6q%2BDTrZdLivdSLFWAWoY2Z8s%3D&reserved=0>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210630/87aa1a7f/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 6262 bytes
Desc: image001.jpg
URL: <http://shibboleth.net/pipermail/users/attachments/20210630/87aa1a7f/attachment.jpg>

More information about the users mailing list