Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-7635

TLS_EMPTY_RENEGOTIATION_INFO_SCSV is not compatible with TLS 1.3

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 7.0.0, 7.1.0
    • Fix Version/s: 7.0.1, 7.1.0
    • Component/s: documentation
    • Labels:

      Description

      The admin guide configures a connection handler using TLS 1.3 and the TLS_EMPTY_RENEGOTIATION_INFO_SCSV pseudo cipher from RFC 5746: https://backstage.forgerock.com/docs/ds/7/security-guide/connections.html#tls-restrict-protocols-and-cipher-suites

      However it seems like this pseudo cipher is an extension for TLS 1.2 and is not permitted by TLS 1.3. RFC 8446:

      Although TLS 1.3 uses the same cipher suite space as previous
      versions of TLS, TLS 1.3 cipher suites are defined differently, only
      specifying the symmetric ciphers, and cannot be used for TLS 1.2.
      Similarly, cipher suites for TLS 1.2 and lower cannot be used with
      TLS 1.3.

      It isn't very clear what Java's TLS 1.3 code will do with this (ignore it?), but it seems prudent to remove it from the examples if the intention is to only allow TLS 1.3.

        Attachments

          Activity

            People

            Assignee:
            michal.severin Michal Severin [X] (Inactive)
            Reporter:
            cjr Chris Ridd
            Dev Assignee:
            Mark Craig Mark Craig
            QA Assignee:
            Michal Severin [X] Michal Severin [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: