Skip to Main Content
HCL Connections Ideas Portal

Welcome to the HCL Connections Product Ideas Lab! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by the HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events, please visit our HCL Connections page.

Status Needs Review
Created by Guest
Created on Jul 9, 2021

TLS 1.3 Support for Connections Blue, Pink and Docs

Support for TLS 1.3 should be added to the complete Connections stack

There are already recommendations to disable TLS 1.0 and customers already disabled TLS 1.0 on their servers. Seucurity recommendations currently tend towrds only supporting/recommending TLS 1.2 and TLS 1.3 with everything below that disabled..


  • Attach files
  • Guest
    Reply
    |
    Sep 29, 2022

    This should not be handled by an Idea, this is basis security lifecycle support which should be provided for a product which is still under support.

  • Guest
    Reply
    |
    Sep 28, 2022

    TLS 1.3, described in RFC 8446, is a significant update to previous versions that includes protections against security concerns that arose in previous versions of TLS.


    Dutch National Cyber Security Centre (NCSC): Configure future-proof with updated TLS guidelines

    ...

    Updated guidelines help create future-proof TLS configurations based on TLS 1.3

    The NCSC has decided to scale down TLS 1.2 in security level from Good to Satisfactory. TLS 1.3, a thorough revision of TLS based on modern insights, remains Good. The NCSC thus considers TLS 1.2 still secure, but less future-proof than TLS 1.3. Configurations that met the 2019 guidelines (v2.0) are still compliant in this update (v2.1).

    Ask your vendor to support TLS 1.3 as part of a future-proof TLS configuration

    TLS 1.3 is now well available in recent versions of software libraries. The guidelines update is a good time to ask your vendor to start supporting TLS 1.3. By thinking about a future-proof configuration now, organizations can focus on threats that deserve daily attention.

    https://www.ncsc.nl/actueel/nieuws/2021/januari/19/ict-beveiligingsrichtlijnen-voor-transport-layer-security-2.1




    USA National Institute of Standards and Technology

    US NIST SP 800-52 Rev. 2. "Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations" requires that TLS 1.2 be configured as the minimum appropriate secure transport protocol and requires support for TLS 1.3 by January 1, 2024.

    NIST SP 800-52 Rev. 2. specifies minimum Requirements for TLS Clients: The client shall be configured to use TLS 1.2 and should be configured to use TLS 1.3. Agencies shall support TLS 1.3 by January 1, 2024. After this date, clients shall be configured to use TLS 1.3. In general, clients that support TLS 1.3 should be configured to use TLS 1.2 as well. However, TLS 1.2 may be disabled on clients that support TLS 1.3 if TLS 1.2 is not needed for interoperability.

    NIST SP 800-52 Rev. 2. specifies miinimum Requirements for TLS Servers: Servers that support government-only applications8 shall be configured to use TLS 1.2 and should be configured to use TLS 1.3 as well. Agencies shall support TLS 1.3 by January 1, 2024. After this date, servers shall support TLS 1.3 for both government-only and citizen or business-facing applications. In general, servers that support TLS 1.3 should be configured to use TLS 1.2 as well. However, TLS 1.2 may be disabled on servers that support TLS 1.3 if it has been determined that TLS 1.2 is not needed for interoperability.

    https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/final




    Germany Federal Office for Information Security (BSI)

    Technical Guideline TR-02102-2 "Cryptographic Mechanisms: Recommendations and Key Lengths; Part 2 – Use of Transport Layer Security (TLS)":

    Recommendations for the choice of the TLS version:

    In general, TLS 1.2 or TLS 1.3 should be used

    https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-2.pdf?__blob=publicationFile&v=10


    OWASP: Securely Deploying TLS 1.3, September 2017

    Why TLS 1.3?

    • Lower latency == happier users

    • Conservative design == less churn

    • Heavily reviewed and deployed today


    Speed

    • TLS impacts latency, not thoroughput

    • Protocol setup requires one round trip

    • Resume can be zero round trips

    • Send application data ASAP


    Your POODLE will not DROWN in CRIME

    • All symmetric ciphers are AEAD

    • AES-GCM, AES-CCM, ChaCha20-Poly1305

    • All key exchanges are ephemeral

    • FFDH over standard groups and ECDH

    • All signatures are modern

    • RSA-PSS, ECDSA, EdDSA

    • Troublesome features discarded

    • Compression, Export Ciphers, Explicit IV


    https://owasp.org/www-pdf-archive/OWASP_LA_Securely_Deploying_TLS_1.3_Scott_Stender_2017_09.pdf