Overview#

Transport Layer Security (Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)) and Datagram Transport Layer Security (DTLS) are widely used to protect data exchanged over application protocols such as HTTP, SMTP, IMAP, POP, SIP, and XMPP. Over the last few years, several serious attacks on TLS have emerged, including attacks on its most commonly used cipher suites and their modes of operation. This document provides recommendations for improving the security of deployed services that use TLS and DTLS. The Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) are applicable to the majority of use cases.

Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) is defined in RFC 7525.

It is important both to stop using old, less secure versions of SSL/TLS and to start using modern, more secure versions; therefore, the following are the recommendations concerning TLS/SSL protocol versions:

Implementations MUST NOT negotiate SSLv2 version 2#

Rationale: Today, SSLv2 is considered insecure RFC 6176.

Implementations MUST NOT negotiate SSLv3 version 3.#

Rationale: SSLv3 RFC 6101 was an improvement over SSLv2 and plugged some significant security holes but did not support strong Cipher Suites. SSLv3 does not support TLS extensions, some of which (e.g., renegotiation_info RFC 5746) are security-critical.

In addition, with the emergence of the Poodle attack, SSLv3 is now widely recognized as fundamentally insecure. RFC 7568.

Implementations SHOULD NOT negotiate TLS 1.0 version 1.0 RFC 2246#

The only exception is when no higher version is available in the negotiation.

Rationale: TLS 1.0 (published in 1999) does not support many modern, strong cipher suites. In addition, TLS 1.0 lacks a per-record Initialization Vector (IV) for CBC-based Cipher Suites and does not warn against common padding errors.

Implementations SHOULD NOT negotiate TLS 1.1 version 1.1 RFC 4346#

The only exception is when no higher version is available in the negotiation.

Rationale: TLS 1.1 (published in 2006) is a security improvement over TLS 1.0 but still does not support certain stronger Cipher Suites.

Implementations MUST support TLS 1.2 RFC 5246#

And MUST prefer to negotiate TLS 1.2 over earlier versions of TLS.

Rationale: Several stronger cipher suites are available only with TLS 1.2 (published in 2008). In fact, the Cipher Suites recommended by RFC 7525 (Section 4.2) are only available in TLS 1.2.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-7) was last changed on 09-Jun-2017 09:15 by jim