Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 13.0.11.Final, 14.0.0.CR2
Affects Version/s: 13.0.10.Final, 14.0.0.CR1
Component/s: Security, Server
Labels:
None

Git Pull Request:
https://github.com/infinispan/infinispan/pull/10281, https://github.com/infinispan/infinispan/pull/10283

Description

The cipher selection configuration is inadequate for TLS 1.3. We need to distinguish between ciphersuite filters (TLS 1.2 and below) and ciphersuite names (TLS 1.3).
The following is an example:

<security-realm name="default">
         <server-identities>
            <ssl>
               <engine enabled-protocols="TLSv1.3 TLSv1.2" enabled-ciphersuites-filter="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" enabled-ciphersuites-names="TLS_AES_256_GCM_SHA384"/>
            </ssl>
         </server-identities>
      </security-realm>

We should also provide proper defaults for the filters and names.

For filters, we use DEFAULT
For names, we use TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

Attachments

Activity

People

Assignee:: Tristan Tarrant

Reporter:: Tristan Tarrant

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2022/09/02 12:53 PM

Updated:: 2022/10/17 2:53 PM

Resolved:: 2022/09/08 8:12 AM