search

ConsumerDataStandardsAustralia / standards-maintenance

This repository houses the interactions, consultations and work management to support the maintenance of baselined components of the Consumer Data Right API Standards and Information Security profile.
41 stars 9 forks source link

Query about TLS renegotiation #446

Closed JoeGunnion closed 1 year ago

JoeGunnion commented 2 years ago

As per CDR Tech team we have been informed to raise this issue with Standards Maintenance and a Zendesk Query #1240

Request as a result of ADR - Fiskil - testing Summary: TLS renegotiation is enabled on our server and Fiskil was expecting it not to be. By temporarily enabling it on their end, Fiskil was able to bypass the issue. Query : Do we, at CFCU, need to specify the disable flags in the registry on our server to NOT allow TLS renegotiation? Our server is not specifying the disable flag and is enabled hence expecting TLS renegotiation Please advise

Regards, Joseph Gunnion

nils-work commented 1 year ago

Hi @JoeGunnion

Just acknowledging that this is an older issue and the CDR Support Portal query (Zendesk 1240) appears to have been responded to.

In reply to your question though, the Standards are silent on the specifics of TLS renegotiation, but do provide requirements for Transaction Security including specifying TLS >= 1.2, the use of MTLS, and also references to other normative standards.

Further questions such as this may now be directed to the CDR Support Portal.