Skip to content

Commit

Permalink
Core: Require TLS 1.3 or newer
Browse files Browse the repository at this point in the history 
This is needed to support ESNI eventually (per #49). Also, I was worried about the following not supporting TLS 1.3 but they do (now):

- Netty on Android (for the Android Courier).
- GCP.
  • Loading branch information
@gnarea
gnarea committed Jun 28, 2020
1 parent 84644fe commit 362b69f
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion rs000-core.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -189,7 +189,7 @@ A message transport binding, or simply _binding_, defines the [adjacent-layer in

Bindings will typically leverage [Layer 7](https://en.wikipedia.org/wiki/Application_layer) protocols, such as HTTP or purpose-built ones, but they can also use an Inter-Process Communication (IPC) mechanism provided by the host system.

Communication MUST be encrypted when the two nodes are on different computers, otherwise it is optional. Communication is deemed to happen on the same computer when either the loopback network interface (i.e., addresses in the range `127.0.0.0/8`) or IPC is used. When encryption is used, it MUST be provided by Transport Layer Security (TLS) version 1.2 ([RFC 5246](https://tools.ietf.org/html/rfc5246)) or newer, or an equivalent technology in non-TCP connections (e.g., [DTLS](https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security)). When using TLS, Server Name Identification per [RFC 6066](https://tools.ietf.org/html/rfc6066) MUST be supported by clients and it MAY be used by servers.
Communication MUST be encrypted when the two nodes are on different computers, otherwise it is optional. Communication is deemed to happen on the same computer when either the loopback network interface (i.e., addresses in the range `127.0.0.0/8`) or IPC is used. When encryption is used, it MUST be provided by Transport Layer Security (TLS) version 1.3 ([RFC 5246](https://tools.ietf.org/html/rfc5246)) or newer, or an equivalent technology in non-TCP connections (e.g., [DTLS](https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security)). When using TLS, Server Name Identification per [RFC 6066](https://tools.ietf.org/html/rfc6066) MUST be supported by clients and it MAY be used by servers.

For performance reasons, nodes SHOULD use Unix domain sockets or any other IPC mechanism instead of the loopback network interface when they are on the same computer.

Expand Down

0 comments on commit 362b69f

Please sign in to comment.