Changes

Departments should make use of CSE-approved protocols, as outlined in: CSE’S ITSP.40.062 [https://www.cse-cst.gc.ca/en/publication/list/Security-Protocols Guidance on Securely Configuring Network Protocols].

Departments should make use of CSE-approved protocols, as outlined in: CSE’S ITSP.40.062 [https://www.cse-cst.gc.ca/en/publication/list/Security-Protocols Guidance on Securely Configuring Network Protocols].

Per CSE guidance ITSP.40.062: TLS servers and clients should be configured to use TLS 1.2 as specified in RFC 5246 The Transport Layer Security (TLS) Protocol Version 1.2 [9]. Older versions of TLS and all versions of Secure Sockets Layer (SSL) should not be used since vulnerabilities exist. Detailed TLS configuration guidance for both servers and clients is similarly provided in [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf NIST Special Publication (SP) 800 52 Rev 1 Guidelines on the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations]. Note that [https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/draft NIST SP 800-52 Rev 2 draft] is available for review, but has yet to be formally published.

Per CSE guidance ITSP.40.062: TLS servers and clients should be configured to use TLS 1.2 as specified in RFC 5246 The Transport Layer Security (TLS) Protocol Version 1.2 [9]. Older versions of TLS and all versions of Secure Sockets Layer (SSL) should not be used since vulnerabilities exist.

 

A broad overview of the use of TLS is provided in the draft [https://csrc.nist.gov/publications/detail/sp/1800-16/draft NIST Securing Web Transactions: TLS Server Certificate Management] Special Publication (SP 1800-16 (DRAFT)). Detailed TLS configuration guidance for both servers and clients is similarly provided in [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf NIST Special Publication (SP) 800 52 Rev 1 Guidelines on the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations]. Note that [https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/draft NIST SP 800-52 Rev 2 draft] is available for review, but has yet to be formally published.

Departments are encouraged to make use of the Mozilla server configurator as a means to develop modern configuration scripts, in addition to the tools available at SSL Labs to test public facing web servers for security level and compatibility:

Departments are encouraged to make use of the Mozilla server configurator as a means to develop modern configuration scripts, in addition to the tools available at SSL Labs to test public facing web servers for security level and compatibility: