CLAassistant
commented
1 year ago
All committers have signed the CLA.
Closed ffloimair closed 1 year ago
CLAassistant
commented
1 year ago
All committers have signed the CLA.
ffloimair
commented
1 year ago Some info on the Mozilla profiles implemented as part of this PR: https://wiki.mozilla.org/Security/Server_Side_TLS
ffloimair
commented
1 year ago @adubovikov feedback much appreciated
adubovikov
commented
1 year ago @ffloimair Looks good for me.Thank you so much. About Mozilla's profiles: do they need to be enabled by default ?
ffloimair
commented
1 year ago Thanks. They don't need to necessarily be enabled but I think it does make sense to make sure appropriate cipher suites are used. Some cipher suites that are "allowed" for TLS 1.2 are actually rather weak, so unless they are required they shouldn't be used. Using the profile makes sure to be on the safe side.
adubovikov
commented
1 year ago Ok, Thank you! Merged!
By default the echo server used in homer-app serves TLS 1.0. Since both TLS 1.0 and TLS 1.1 are considered deprecated (see: https://datatracker.ietf.org/doc/rfc8996/) the minimum TLS version should therefore be configurable and set to TLS 1.2 as the default value.
Also support Mozilla profiles (restricts cipher suites based on TLS version)