29   TLS cipher suite support

Created: 17 Jul 2023

Status: Approval (Future Improvement)

Part: Part 3 (2023, Edition 2)

Links:

Page: 21

Clause: 7.2

Paragraph: Table 1

Issue

The ciphersuite TLS-RSA-WITH-AES-128-CBC-SHA256 is often signalled in vulnerability scanners as it supports no PFS and uses CBC. Currently we have 4 mandatory to support cipher suites. Proposal to make this cipher suite conditional to allow not supporting it.

Proposal

Proposal to make TLS-RSA-WITH-AES-128-CBC-SHA256 conditional for backward compatibility with RFC 5246. This provides the possibility to switch it off if no backward compatibility is required.

Discussion Created Status
- Approved during WG15 Meeting 10/2023, based on previous FDIS comment resolution discussion
- Proposal accepted 		19 Oct 23 Approval (Future Improvement)
I am OK with the additions.
Maybe add to both tables in the c1 note that this cipher suite also does not provide perfect forward secrecy. 		08 Aug 23 Discussion (red)
Proposal according to FDIS comment resolution 26 Jul 23 Discussion (red)
Accepted in FDIS comment resolution an WG15 meeting in May 2023 19 Jul 23 Accepted
Accepted during FDIS comment resolution but not included in the final IEC 62351-3 Ed.2.

Proposal to change the occurrence of TLS-RSA-WITH-AES-128-CBC-SHA256 in Table 1 and Table 9 to conditional and to add the statement:
This ciphersuite is provided to support backward compatibility with RFC 5246. Note that it does not provide perfect forward secrecy.
17 Jul 23 Triage

 

Privacy | Contact | Disclaimer

Tissue DB v. 23.12.13.1