It happens at least every few years: system administrators need to update the security configuration of their servers to keep up with the latest best practices and to close newly found security issues(i.e., via changes to recommended TLS ciphers and protocols). These updates can be rocky. Change often introduces incompatibilities that prevent certain systems or programs from being able to connect to the updated systems.
(Article updated for January 10th, 2020).
In this article we are going to look at what email program an web browser incompatibilities arise when you migrate from using the “old standard:” TLS v1.0+ and the ciphers recommend by NIST 800-52r1 to using either TLS v1.0+ and the new NIST 800-52r2 ciphers or TLS v1.2+ and the new NIST 800-52r2 ciphers.
- PCI required that servers that need to be PCI compliant use only TLS v1.1+ (which really means v1.2+) by the end of June, 2018.
- NIST 800-52r2 updated its recommended cipher list and remove many ciphers from revision 1 that are now considered “weak” and introduced a number of new, better ciphers. Administrators should be using NIST 800-52r2 cipher support as a best practice.
- Organizations that require HIPAA compliance should also follow the NIST guidelines and prepare NIST 800-52r2 support and, where possible, support TLS v1.3 and eventually eliminate pre-TLS 1.2 support. See: What level of TLS is required for HIPAA compliance?
Read the rest of this post »