Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixs1.1 rc1 merge cipher list into main #1

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fixs1.1 rc1 merge cipher list into main #1

wants to merge 2 commits into from
+52 −0

Conversation

nhorlock
Copy link
Collaborator

This is the initial version plus first revision of the cipherlist as extracted from the FIXS specification.
This contains the externalised cipher list and has been updated to remove ciphers that have been deprecated since it was first created (CBC and SHA1)
It does not add new ciphers listed on IANA,

@nhorlock
Create CipherList.md
f8b9cc6 
Initial version of CipherList as extracted from V1.0 specification
@nhorlock
remove deprecated ciphers
3a80792 
CBC and SHA1 are deprecated for TLS1.2  and above.
Also added revision table to log key updates
@kleihan
Copy link
Member

kleihan commented Feb 15, 2021

@nhorlock you are ahead of the game! We do not have a markdown version of FIXS yet. The first one will be v1.1 RC1. I will leave out the cipher list in order to then merge your request into the main branch when there is a markdown version for the v1.1 RC1 spec.

@nhorlock
Copy link
Collaborator Author

nhorlock commented Feb 15, 2021 via email

kleihan
kleihan requested changes Mar 11, 2021
View reviewed changes
Copy link
Member

@kleihan kleihan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please change the pull request to apply to RC2 and not RC1. Any change to an RC needs to be made to the next RC version.

chrjohn
chrjohn reviewed Mar 22, 2021
View reviewed changes
v1-1-RC1/CipherList.md
| Version | Note
|---------|------
| Initial | First commit, replicates FIXS V1.0 text
| 2021.1 | Updated to remove CBC and SHA1 as these deprecated for use with TLS1.2 and above.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| 2021.1 | Updated to remove CBC and SHA1 as these deprecated for use with TLS1.2 and above.
| 2021.1 | Updated to remove CBC and SHA1 as these are deprecated for use with TLS1.2 and above.

chrjohn
chrjohn reviewed Mar 22, 2021
View reviewed changes
v1-1-RC1/CipherList.md

### Authentication
#### TLS Certificate Authentication
The following cipher suite list when using certificates for authentication. This includes using certificates in Simple TLS in conjunction with FIXA. The list ensures Forward Secrecy, avoids deprecated ciphers and should achieve good performance. The cipher suites are specified in our order of preference, starting with the most preferred cipher suite.
Copy link
Contributor

@chrjohn chrjohn Mar 22, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The following cipher suite list when using certificates for authentication.

I am sure there is something missing between "list" and "when". Maybe "should be used" or "should be considered" or "is recommended"?

chrjohn
chrjohn reviewed Mar 22, 2021
View reviewed changes
v1-1-RC1/CipherList.md
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
```
This list matches what is recommended as best practice from SSL Labs currently (November 2016), except we have given preference to performance of the TLS Record Protocol rather than the TLS Handshake Protocol's performance. The list should be used in conjunction with Session Caching.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe omit the word "currently" in conjunction with November 2016. :)

chrjohn
chrjohn reviewed Mar 22, 2021
View reviewed changes
v1-1-RC1/CipherList.md
```
This list matches what is recommended as best practice from SSL Labs currently (November 2016), except we have given preference to performance of the TLS Record Protocol rather than the TLS Handshake Protocol's performance. The list should be used in conjunction with Session Caching.

The list details ECDSA certificate cipher suites followed by RSA certificate ones. It is possible to support both an ECDSA certificate and a RSA certificate at an end point, but only one certificate can be used at a time. In practice, only one kind of certificate is needed. Thus, if you are using an RSA certificate, the ECDSA cipher suites will be ignored so they can be omitted. Likewise, the RSA cipher suites will be ignored and can be omitted for an ECDSA certificate.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The list details ECDSA certificate cipher suites followed by RSA certificate ones. It is possible to support both an ECDSA certificate and a RSA certificate at an end point, but only one certificate can be used at a time. In practice, only one kind of certificate is needed. Thus, if you are using an RSA certificate, the ECDSA cipher suites will be ignored so they can be omitted. Likewise, the RSA cipher suites will be ignored and can be omitted for an ECDSA certificate.
The list details ECDSA certificate cipher suites followed by RSA certificate ones. It is possible to support both an ECDSA certificate and an RSA certificate at an end point, but only one certificate can be used at a time. In practice, only one kind of certificate is needed. Thus, if you are using an RSA certificate, the ECDSA cipher suites will be ignored so they can be omitted. Likewise, the RSA cipher suites will be ignored and can be omitted for an ECDSA certificate.

@kleihan
Copy link
Member

kleihan commented Mar 22, 2021

RC1 should not be changed, i.e. any corrections etc. should be made to the next release candidate as long as it has not been submitted to the GTC and approved for the public comment period. @nhorlock could you review the proposed changes from @chrjohn and create a pull request for RC2?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chrjohn chrjohn chrjohn left review comments

@kleihan kleihan kleihan requested changes

@kilkennyc kilkennyc Awaiting requested review from kilkennyc

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nhorlock @kleihan @chrjohn