8radree
commented
3 months ago As we are moving quickly to 1.0, lets defer this suggestion until the next version
Open mikewhiteman opened 3 months ago
8radree
commented
3 months ago As we are moving quickly to 1.0, lets defer this suggestion until the next version
Overview: We've shoehorned a few requirements into a single requirement (4.1.1) which may be challenging for developers to understand.
Recommendation: Let's break this into two distinct requirements:
1) Application shall enforce the use of TLS for all connections and default to TLS 1.2+. In cases where support for legacy clients is necessary, TLS 1.0 and 1.1 may be supported if mitigations are implemented to minimize the risk of downgrade attacks and known TLS exploits.
2) Application shall default to secure cipher suites and reject those with known vulnerabilities.