Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use a specific set of strong Cipher Suites by default #3450

Open
sophokles73 opened this issue Dec 1, 2022 · 2 comments
Open

Use a specific set of strong Cipher Suites by default #3450

sophokles73 opened this issue Dec 1, 2022 · 2 comments
Labels
enhancement good first issue Issues that do not require much in-depth knowledge of Hono help wanted Issues that we would welcome any help from (new) contributors with security Issues regarding system/data security/privacy

Comments

@sophokles73
Copy link
Contributor

The API endpoints of the protocol adapters and service components are secured using TLS. By default, TLS 1.2 and 1.3 are supported. However, currently the list of supported cipher suites is not set explicitly and is therefore determined by the underlying JSSE implementation (or native TLS provider like Open/BoringSSL).

In order to make the configuration more transparent, we should probably define and use an explicit list of suites that are generally considered safe and keep this list up-to-date with current development in this area.

One source for such a list might be https://www.feistyduck.com/library/openssl-cookbook/online/openssl-command-line/recommended-suite-configuration.html
@sophokles73 sophokles73 added enhancement help wanted Issues that we would welcome any help from (new) contributors with good first issue Issues that do not require much in-depth knowledge of Hono security Issues regarding system/data security/privacy labels Dec 1, 2022
@sophokles73 sophokles73 added this to the 2.3.0 milestone Dec 1, 2022
@sophokles73 sophokles73 modified the milestones: 2.3.0, 2.4.0 Feb 22, 2023
@sophokles73 sophokles73 removed this from the 2.4.0 milestone Aug 16, 2023
@sophokles73
Copy link
Contributor Author

An even better source for a recommended list of cipher suites etc might be

https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-2.pdf

@sophokles73
Copy link
Contributor Author

We should also amend the description of the supportedCipherSuites configuration property in the admin guides with a pointer to the BSI list.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement good first issue Issues that do not require much in-depth knowledge of Hono help wanted Issues that we would welcome any help from (new) contributors with security Issues regarding system/data security/privacy
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sophokles73