FAPI 2.0: enforce TLS 1.2 and specific ciphers

Question

FAPI 2.0: enforce TLS 1.2 and specific ciphers

paulswartz opened this issue a year ago · 0 comments

Description

shall only offer TLS protected endpoints and shall establish connections to other servers using TLS. TLS connections shall be set up to use TLS version 1.2 or later.

when using TLS 1.2, follow the recommendations for Secure Use of Transport Layer Security in [RFC7525].

shall perform a TLS server certificate check, as per [RFC6125].

when using TLS 1.2, the client should only permit the cipher suites listed in Section 5.2.2.1
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

~~As a part of this, we may also want to set better defaults for httpc: right now, I don't believe it's server certificates unless the client provides separate SSL configuration.~~ This was the case in OTP 25, but OTP 26 (required) has safe defaults.