Network Layer Protections restrict use of more recent TLS 1.2 ciphers
Issue #549
resolved
In https://openid.net/specs/fapi-2_0-baseline-01.html#name-network-layer-protections and https://openid.net/specs/openid-financial-api-part-2-1_0.html#tls-considerations we’re restricting the use of TLS 1.2 ciphers to only 4 ciphers.
There were however ciphers added to TLS 1.2 after the BCP, e.g. https://www.rfc-editor.org/rfc/rfc7905, which I believe make no sense to restrict use of.
This affects both FAPI1 and FAPI2
Comments (18)
-
-
I now remember that we (sort of) discussed RFC7905: https://bitbucket.org/openid/fapi/issues/216/tls_ecdhe_ecdsa-cipher-suites#comment-53043157
The FAPI WG was reluctant to deviate from the TLS 1.2 BCP recommendations due to lacking the necessary expertise, and it seems the relevant IETF WG aren’t particularly keen to update the TLS 1.2 BCP.
-
reporter
- changed component to FAPI2: Baseline
-
-
Joseph pointed out in Nov 2 call about this: https://bitbucket.org/openid/fapi/annotate/master/FAPI_2_0_Security_Profile.md?at=master#FAPI_2_0_Security_Profile.md-153
-
- changed milestone to FINAL
-
reporter
- changed status to open
Yes Nat, the exact four ciphers are now listed. But that doesn't solve the questions at hand.
Additional TLS 1.2 suites were added after the BCP, these are now making its way to current network stacks, e.g. ChaCha20 AEAD ciphers from https://tools.ietf.org/html/rfc7905 and we are not permitting these, is there a reason to?
-
- changed component to FAPI2: Security Profile
-
The IETF BCP has now been updated: https://www.rfc-editor.org/rfc/rfc9325.html#name-cipher-suites-for-tls-12
Their recommendations on TLS 1.2 ciphers haven’t changed.
-
FYI: FAPI ISSUE 216 TLS_ECDHE_ECDSA cipher suites
-
Maybe we should ask TLS working group
It would also be good to get feedback from industry on this
-
We had another discussion on this and talked about rather pushing people to TLS 1.3. However at the moment the conformance test suite only supports 1.2
@Joseph Heenan there was a question about if there is a roadmap item to add support to TLS1.3
-
There are two separate sides to this - for outgoing connections from the suite everything is fine, TLS 1.3 should work as far as I know. So for testing banks, we’re mostly okay as that’s all outgoing connections from the suite [with the exception of CIBA Ping notifications].
Incoming connections (which mainly affect the RP tests) are more of an issue as we rely on path based negotiation of TLS certificates and it seems like this perhaps just isn’t possible in TLS 1.3, meaning we need to rework our ingress so that two different external hostnames with different TLS setups are routed to the same instance of the java suite, which requires docker/kubernetes magic that I don’t currently have a good handle on.
I opened https://gitlab.com/openid/conformance-suite/-/issues/1192 to track this.
-
(For clarity, looking into TLS 1.3 support is not currently something we have actively planned as we currently have more urgent things to tackle. If there’s reasons it’s more important that we thing, please let us know.)
-
- changed status to resolved
BCP195 was updated so it is taken care of now.
-
reporter
Can you provide link to the updated BCP?
-
-
(as per above, the TLS working groups recommendations on ciphers have not changed in the new BCP)
- Log in to comment
- Assignee
- –
- Type
- Priority
- Status
- resolved
- Component
- FAPI2: Security Profile
- Milestone
- FINAL
- Votes
- 0
- Watchers
- 1
I believe it is inappropriate for OpenID documents to list allowed or proscribed cypher suites due to the fact that OpenID documents cannot be revised, but only replaced. Essentially all cypher suites that are standardized today are to be replaced soon, which means that essentially all OpenID standards will be out-of-date.