Recommended security protocols and cipher suites are not supported
Hi,
You can see bellow the protocols (and cipher suites) supported by AIR and recommanded by Mozilla for an Intermediate security configuration :
/*
Cipher Suites:
TLS_AES_256_GCM_SHA384 |NOT SUPPORTED |
TLS_AES_128_GCM_SHA256 |NOT SUPPORTED |
TLS_CHACHA20_POLY1305_SHA256 |NOT SUPPORTED |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |NOT SUPPORTED |RECOMMENDED
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |NOT SUPPORTED |RECOMMENDED
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 |NOT SUPPORTED |RECOMMENDED
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |NOT SUPPORTED |RECOMMENDED
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 |NOT SUPPORTED |RECOMMENDED
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |NOT SUPPORTED |RECOMMENDED
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |NOT SUPPORTED |RECOMMENDED
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 |NOT SUPPORTED |
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 |NOT SUPPORTED |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |NOT SUPPORTED |RECOMMENDED
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 |NOT SUPPORTED |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |NOT SUPPORTED |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |NOT SUPPORTED |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |NOT SUPPORTED |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |OK |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 |NOT SUPPORTED |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 |NOT SUPPORTED |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 |NOT SUPPORTED |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 |NOT SUPPORTED |
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 |NOT SUPPORTED |
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 |NOT SUPPORTED |
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 |NOT SUPPORTED |
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 |NOT SUPPORTED |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 |NOT SUPPORTED |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 |NOT SUPPORTED |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 |NOT SUPPORTED |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 |NOT SUPPORTED |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |NOT SUPPORTED |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |OK |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |NOT SUPPORTED |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |OK |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA |NOT SUPPORTED |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA |NOT SUPPORTED |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA |NOT SUPPORTED |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA |NOT SUPPORTED |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA |NOT SUPPORTED |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA |NOT SUPPORTED |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA |NOT SUPPORTED |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA |NOT SUPPORTED |
TLS_RSA_WITH_AES_256_GCM_SHA384 |NOT SUPPORTED |
TLS_RSA_WITH_AES_128_GCM_SHA256 |NOT SUPPORTED |
TLS_RSA_WITH_AES_256_CBC_SHA256 |OK |
TLS_RSA_WITH_AES_128_CBC_SHA256 |OK |
TLS_RSA_WITH_AES_256_CBC_SHA |OK |
TLS_RSA_WITH_AES_128_CBC_SHA |OK |
TLS_EMPTY_RENEGOTIATION_INFO_SCSV |NOT SUPPORTED |
Protocols:
TLSv1.3 |NOT SUPPORTED |RECOMMENDED
TLSv1.2 |OK |RECOMMENDED
TLSv1.1 |OK |
TLSv1 |OK |
SSLv3 |NOT SUPPORTED |
SSLv2Hello |NOT SUPPORTED |
*/
Recommended Mozilla security configuration is detailed in its SSL Configuration Generator :
https://ssl-config.mozilla.org/#server=jetty&version=9.4.28&config=intermediate&guideline=5.6
Test has been build with an AIR SDK for Flex Developers - to be overlaid onto a Flex SDK with an apache-flex-sdk-4.16.1 :
https://airsdk.harman.com/download
http://flex.apache.org/download-binaries.html
It appears that TLSv1.2 is the only protocol supported and recommanded whereas there is no cipher suite supported and recommanded.
Please do you plan to maintain the security by implementing recommanded protocols and cipher suites ?
Best regards,
A. Bonnin.
AdChoices