[Openid-specs-fapi] Issue #698: Vulnerability in TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (openid/fapi)
josephheenan
issues-reply at bitbucket.org
Tue May 21 19:07:47 UTC 2024
New issue 698: Vulnerability in TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
https://bitbucket.org/openid/fapi/issues/698/vulnerability-in
Joseph Heenan:
In [https://bitbucket.org/openid/fapi/issues/685/use-of-tls-12-ciphers#comment-66826146](https://bitbucket.org/openid/fapi/issues/685/use-of-tls-12-ciphers#comment-66826146) Tom Jones mentioned this page:
[https://ciphersuite.info/cs/TLS\_DHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256/](https://ciphersuite.info/cs/TLS_DHE_RSA_WITH_AES_128_GCM_SHA256/)
which suggests that that TLS cipher \(which is one of the 4 required in FAPI1/2\) has issues.
[https://www.rfc-editor.org/rfc/rfc9325.html#appendix-A](https://www.rfc-editor.org/rfc/rfc9325.html#appendix-A) \(the update to the TLS BCP which has been published since FAPI1 went to final\) seems to mention “Dropped TLS\_DHE\_RSA\_WITH\_AES from the recommended ciphers”.
I’m not researched this enough to have a recommendation but it seems worth checking before FAPI2 goes final. I’m not sure what we could/would do about FAPI1.
More information about the Openid-specs-fapi
mailing list