On Tue, Jun 8, 2010 at 3:10 PM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of >> Yaron Goland >> Section 3.3 - Is TLS/SSL mandatory or optional? And if so, what version of >> TLS/SSL? > > Is it ok to require TLS 1.2? > >> To me this text implies that an OAuth server could be conformant and not >> implement TLS/SSL but instead implement some other transport-layer >> security mechanism (say a VPN protocol). From an interoperability >> perspective that seems problematic since it means clients can't know what >> transport-layer solution the token endpoint will support. Wouldn't it be >> reasonable to put in a requirement that all OAuth endpoints MUST support >> RFC 5246 and RFC 5746? > > 5246 makes sense. I don't know enough to say about 5746. > >> In other words the language could read: ".the authorization server MUST >> require the use of a transport-layer mechanism when sending requests to >> the token endpoints. Specifically, authorization servers MUST support >> version 1.2 of TLS as defined in RFC 5246 and extended in RFC 5746 and MAY >> support other equivalent secure channel mechanisms".
Does anyone have a list of libraries that support TLS 1.2? OpenSSL, for example, only supports TLS 1.0 in the current stable release. That'd be RFC2246 (presumably plus extensions). I don't know the difference between SSL and TLS let alone TLS 1.0 and TLS 1.2, but a systems friend of mine says: > I dont think it is realistic to require anything higher than TLS 1.0. > > OpenSSL 0.9, which is still supported and is the version in every major Linux > distro's package manager, only supports TLS 1.0. > > OpenSSL 1.0 AFAIK also only supports TLS 1.0. OpenSSL 1.1.0 is going to have > support for TLS 1.1 [1], but is "some years away" as of about a year ago [2]. > > Debian: 0.9.8c http://packages.debian.org/etch/openssl > Ubuntu: 0.9.8k http://packages.ubuntu.com/lucid/openssl > RHEL5 : 0.9.8e > http://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/ > > [1]: http://marc.info/?l=openssl-users&m=127531288020106&w=2 > [2]: http://www.mail-archive.com/openssl-us...@openssl.org/msg56601.html --mdawaffe _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
