Fixs1.1 rc1 merge cipher list into main #1
+52
−0
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,52 @@ | ||||||
| # FIXS Recomended Cipher List | ||||||
| ## Purpose | ||||||
| This list is the reference list of approved ciphers for use with FIXS | ||||||
|
|
||||||
| Ciphers are listed in groups under sub-headings, first by TLS Version and then by use-case | ||||||
|
|
||||||
| - [FIXS Recomended Cipher List](#fixs-recomended-cipher-list) | ||||||
| - [Purpose](#purpose) | ||||||
| - [Overview](#overview) | ||||||
| - [Revision notes](#revision-notes) | ||||||
| - [TLS1.2](#tls12) | ||||||
| - [Authentication](#authentication) | ||||||
| - [TLS Certificate Authentication](#tls-certificate-authentication) | ||||||
| - [TLS PSK Authentication](#tls-psk-authentication) | ||||||
|
|
||||||
| ## Overview | ||||||
| The acronyms used in this appendix match those in the TLS Cipher Suite Registry which is authoritative and held at IANA for IETF. We have chosen to use these acronyms as opposed to, for example, using the ones from the OpenSSL cipher suite names. See | ||||||
| http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml or https://www.ietf.org/assignments/tls-parameters/tls-parameters.txt | ||||||
|
|
||||||
| ## Revision notes | ||||||
| For a full list of revisions refer to the git commit history | ||||||
| | Version | Note | ||||||
| |---------|------ | ||||||
| | Initial | First commit, replicates FIXS V1.0 text | ||||||
| | 2021.1 | Updated to remove CBC and SHA1 as these deprecated for use with TLS1.2 and above. | ||||||
|
|
||||||
| ## TLS1.2 | ||||||
|
|
||||||
| ### Authentication | ||||||
| #### TLS Certificate Authentication | ||||||
| The following cipher suite list when using certificates for authentication. This includes using certificates in Simple TLS in conjunction with FIXA. The list ensures Forward Secrecy, avoids deprecated ciphers and should achieve good performance. The cipher suites are specified in our order of preference, starting with the most preferred cipher suite. | ||||||
|
There was a problem hiding this comment.
I am sure there is something missing between "list" and "when". Maybe "should be used" or "should be considered" or "is recommended"? |
||||||
|
|
||||||
| ``` | ||||||
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ||||||
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ||||||
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ||||||
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | ||||||
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ||||||
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | ||||||
| ``` | ||||||
| This list matches what is recommended as best practice from SSL Labs currently (November 2016), except we have given preference to performance of the TLS Record Protocol rather than the TLS Handshake Protocol's performance. The list should be used in conjunction with Session Caching. | ||||||
|
There was a problem hiding this comment. Maybe omit the word "currently" in conjunction with November 2016. :) |
||||||
|
|
||||||
| The list details ECDSA certificate cipher suites followed by RSA certificate ones. It is possible to support both an ECDSA certificate and a RSA certificate at an end point, but only one certificate can be used at a time. In practice, only one kind of certificate is needed. Thus, if you are using an RSA certificate, the ECDSA cipher suites will be ignored so they can be omitted. Likewise, the RSA cipher suites will be ignored and can be omitted for an ECDSA certificate. | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| #### TLS PSK Authentication | ||||||
|
|
||||||
| It is recommended to use the following cipher suite list when using PSKs for authentication. This is because the list ensures Forward Secrecy, avoids deprecated ciphers and should achieve good performance. The cipher suites are specified in our order of preference, starting with the most preferred cipher suite. | ||||||
| ``` | ||||||
| TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 | ||||||
| TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 | ||||||
| ``` | ||||||
| This list follows the same logic as in the list above for [certificate authentication](#tls-certificate-authentication), except it uses the cipher suites available for PSK authentication. | ||||||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.