#dominoforever | Product Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Support for TLS 1.3 Sametime 11.6 for including Sametime App IOS android

Support for TLS 1.3 Sametime 11.6 for including Sametime App IOS android

  • Guest
  • Sep 19 2022
  • Needs Review
  • Attach files
  • Guest commented
    28 Sep 12:27pm

    Dutch National Cyber Security Centre (NCSC): Configure future-proof with updated TLS guidelines

    ...

    Updated guidelines help create future-proof TLS configurations based on TLS 1.3

    The NCSC has decided to scale down TLS 1.2 in security level from Good to Satisfactory. TLS 1.3, a thorough revision of TLS based on modern insights, remains Good. The NCSC thus considers TLS 1.2 still secure, but less future-proof than TLS 1.3. Configurations that met the 2019 guidelines (v2.0) are still compliant in this update (v2.1).

    Ask your vendor to support TLS 1.3 as part of a future-proof TLS configuration

    TLS 1.3 is now well available in recent versions of software libraries. The guidelines update is a good time to ask your vendor to start supporting TLS 1.3. By thinking about a future-proof configuration now, organizations can focus on threats that deserve daily attention.

    https://www.ncsc.nl/actueel/nieuws/2021/januari/19/ict-beveiligingsrichtlijnen-voor-transport-layer-security-2.1

  • Guest commented
    26 Sep 09:23am

    Problem:

    If Sametime Proxy is located behind SafeLinx 1.3 and customers decide to turn on only TLS 1.3 (see "Business case" comment), Sametime Chat on Android and iOS are not able to connect.

    Proposed Solution:

    Add support for TLS 1.3 (supported in iOS and Android 10 (Api Level 29)) to Sametime on Android and Sametime on iOS.

    Acceptance Criteria:
    Sametime on Android and Sametime on iOS able to connect to Sametime Proxy via a SafeLinx Server that supports only TLS 1.3

  • Guest commented
    26 Sep 09:20am

    Business case:

    TLS 1.3, described in RFC 8446, is a significant update to previous versions that includes protections against security concerns that arose in previous versions of TLS.


    USA National Institute of Standards and Technology

    US NIST SP 800-52 Rev. 2. "Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations" requires that TLS 1.2 be configured as the minimum appropriate secure transport protocol and requires support for TLS 1.3 by January 1, 2024.


    NIST SP 800-52 Rev. 2. specifies minimum Requirements for TLS Clients: The client shall be configured to use TLS 1.2 and should be configured to use TLS 1.3. Agencies shall support TLS 1.3 by January 1, 2024. After this date, clients shall be configured to use TLS 1.3. In general, clients that support TLS 1.3 should be configured to use TLS 1.2 as well. However, TLS 1.2 may be disabled on clients that support TLS 1.3 if TLS 1.2 is not needed for interoperability.


    NIST SP 800-52 Rev. 2. specifies miinimum Requirements for TLS Servers: Servers that support government-only applications8 shall be configured to use TLS 1.2 and should be configured to use TLS 1.3 as well. Agencies shall support TLS 1.3 by January 1, 2024. After this date, servers shall support TLS 1.3 for both government-only and citizen or business-facing applications. In general, servers that support TLS 1.3 should be configured to use TLS 1.2 as well. However, TLS 1.2 may be disabled on servers that support TLS 1.3 if it has been determined that TLS 1.2 is not needed for interoperability.


    https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/final



    Germany Federal Office for Information Security (BSI)

    Technical Guideline TR-02102-2 "Cryptographic Mechanisms: Recommendations and Key Lengths; Part 2 – Use of Transport Layer Security (TLS)":

    Recommendations for the choice of the TLS version:

    In general, TLS 1.2 or TLS 1.3 should be used

    https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-2.pdf?__blob=publicationFile&v=10



    OWASP: Securely Deploying TLS 1.3, September 2017

    Why TLS 1.3?

    • Lower latency == happier users

    • Conservative design == less churn

    • Heavily reviewed and deployed today


    Speed

    • TLS impacts latency, not thoroughput

    • Protocol setup requires one round trip

    • Resume can be zero round trips

    • Send application data ASAP


    Your POODLE will not DROWN in CRIME

    • All symmetric ciphers are AEAD

    • AES-GCM, AES-CCM, ChaCha20-Poly1305

    • All key exchanges are ephemeral

    • FFDH over standard groups and ECDH

    • All signatures are modern

    • RSA-PSS, ECDSA, EdDSA

    • Troublesome features discarded

    • Compression, Export Ciphers, Explicit IV

    https://owasp.org/www-pdf-archive/OWASP_LA_Securely_Deploying_TLS_1.3_Scott_Stender_2017_09.pdf