Changes

Departments should make use of CSE-approved protocols, as outlined in: CSE’S ITSP.40.062 [https://www.cse-cst.gc.ca/en/publication/list/Security-Protocols Guidance on Securely Configuring Network Protocols]. Per CSE guidance ITSP.40.062: TLS servers and clients should be configured to use TLS 1.2 as specified in RFC 5246 The Transport Layer Security (TLS) Protocol Version 1.2 [9]. Older versions of TLS and all versions of Secure Sockets Layer (SSL) should not be used since vulnerabilities exist.  

Departments should make use of CSE-approved protocols, as outlined in: CSE’S ITSP.40.062 [https://www.cse-cst.gc.ca/en/publication/list/Security-Protocols Guidance on Securely Configuring Network Protocols]. Per CSE guidance ITSP.40.062: TLS servers and clients should be configured to use TLS 1.2 as specified in RFC 5246 The Transport Layer Security (TLS) Protocol Version 1.2 [9]. Older versions of TLS and all versions of Secure Sockets Layer (SSL) should not be used since vulnerabilities exist.  

A broad overview of the use of TLS is provided in the draft [https://csrc.nist.gov/publications/detail/sp/1800-16/draft NIST Securing Web Transactions: TLS Server Certificate Management] Special Publication (SP 1800-16 (DRAFT)). Detailed TLS configuration guidance for both servers and clients is similarly provided in [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf NIST Special Publication (SP) 800 52 Rev 1 Guidelines on the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations]. Note that [https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/draft NIST SP 800-52 Rev 2 draft] is available for review, but has yet to be formally published.

A broad overview of the use of TLS is provided in the draft NIST [https://csrc.nist.gov/publications/detail/sp/1800-16/draft Securing Web Transactions: TLS Server Certificate Management Special Publication (SP 1800-16 (DRAFT))]. Detailed TLS configuration guidance for both servers and clients is similarly provided in [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf NIST Special Publication (SP) 800 52 Rev 1 Guidelines on the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations]. Note that [https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/draft NIST SP 800-52 Rev 2 draft] is available for review, but has yet to be formally published.

Departments are encouraged to make use of the Mozilla server configurator as a means to develop modern configuration scripts, in addition to the tools available at SSL Labs to test public facing web servers for security level and compatibility:

Departments are encouraged to make use of the Mozilla server configurator as a means to develop modern configuration scripts, in addition to the tools available at SSL Labs to test public facing web servers for security level and compatibility: