Welcome to the HCL Connections Product Ideas Lab! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by the HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.
For more information and upcoming events, please visit our HCL Connections page.
This should not be handled by an Idea, this is basis security lifecycle support which should be provided for a product which is still under support.
TLS 1.3, described in RFC 8446, is a significant update to previous versions that includes protections against security concerns that arose in previous versions of TLS.
Dutch National Cyber Security Centre (NCSC): Configure future-proof with updated TLS guidelines
...
Updated guidelines help create future-proof TLS configurations based on TLS 1.3
The NCSC has decided to scale down TLS 1.2 in security level from Good to Satisfactory. TLS 1.3, a thorough revision of TLS based on modern insights, remains Good. The NCSC thus considers TLS 1.2 still secure, but less future-proof than TLS 1.3. Configurations that met the 2019 guidelines (v2.0) are still compliant in this update (v2.1).
Ask your vendor to support TLS 1.3 as part of a future-proof TLS configuration
TLS 1.3 is now well available in recent versions of software libraries. The guidelines update is a good time to ask your vendor to start supporting TLS 1.3. By thinking about a future-proof configuration now, organizations can focus on threats that deserve daily attention.
https://www.ncsc.nl/actueel/nieuws/2021/januari/19/ict-beveiligingsrichtlijnen-voor-transport-layer-security-2.1
USA National Institute of Standards and Technology
US NIST SP 800-52 Rev. 2. "Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations" requires that TLS 1.2 be configured as the minimum appropriate secure transport protocol and requires support for TLS 1.3 by January 1, 2024.
NIST SP 800-52 Rev. 2. specifies minimum Requirements for TLS Clients: The client shall be configured to use TLS 1.2 and should be configured to use TLS 1.3. Agencies shall support TLS 1.3 by January 1, 2024. After this date, clients shall be configured to use TLS 1.3. In general, clients that support TLS 1.3 should be configured to use TLS 1.2 as well. However, TLS 1.2 may be disabled on clients that support TLS 1.3 if TLS 1.2 is not needed for interoperability.
NIST SP 800-52 Rev. 2. specifies miinimum Requirements for TLS Servers: Servers that support government-only applications8 shall be configured to use TLS 1.2 and should be configured to use TLS 1.3 as well. Agencies shall support TLS 1.3 by January 1, 2024. After this date, servers shall support TLS 1.3 for both government-only and citizen or business-facing applications. In general, servers that support TLS 1.3 should be configured to use TLS 1.2 as well. However, TLS 1.2 may be disabled on servers that support TLS 1.3 if it has been determined that TLS 1.2 is not needed for interoperability.
https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/final
Germany Federal Office for Information Security (BSI)
Technical Guideline TR-02102-2 "Cryptographic Mechanisms: Recommendations and Key Lengths; Part 2 – Use of Transport Layer Security (TLS)":
Recommendations for the choice of the TLS version:
In general, TLS 1.2 or TLS 1.3 should be used
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-2.pdf?__blob=publicationFile&v=10
OWASP: Securely Deploying TLS 1.3, September 2017
Why TLS 1.3?
• Lower latency == happier users
• Conservative design == less churn
• Heavily reviewed and deployed today
Speed
• TLS impacts latency, not thoroughput
• Protocol setup requires one round trip
• Resume can be zero round trips
• Send application data ASAP
Your POODLE will not DROWN in CRIME
• All symmetric ciphers are AEAD
• AES-GCM, AES-CCM, ChaCha20-Poly1305
• All key exchanges are ephemeral
• FFDH over standard groups and ECDH
• All signatures are modern
• RSA-PSS, ECDSA, EdDSA
• Troublesome features discarded
• Compression, Export Ciphers, Explicit IV
https://owasp.org/www-pdf-archive/OWASP_LA_Securely_Deploying_TLS_1.3_Scott_Stender_2017_09.pdf