From 5903259964d951903ee591b4aa4b9f1f7fbaaf71 Mon Sep 17 00:00:00 2001 From: Josh Grossman Date: Fri, 6 Dec 2024 21:33:10 +0200 Subject: [PATCH] Clarify 9.4.1 about foward secrecy to resolve #2215 (#2439) --- 5.0/en/0x17-V9-Communications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/5.0/en/0x17-V9-Communications.md b/5.0/en/0x17-V9-Communications.md index 027978a645..7292806481 100644 --- a/5.0/en/0x17-V9-Communications.md +++ b/5.0/en/0x17-V9-Communications.md @@ -68,7 +68,7 @@ Use secure TLS configuration and up-to-date tools to review the configuration on | # | Description | L1 | L2 | L3 | CWE | | :---: | :--- | :---: | :---: | :---: | :---: | -| **9.4.1** | [MODIFIED, MOVED FROM 9.1.2] Verify that only the latest recommended cipher suites are enabled, with the strongest cipher suites set as preferred. | ✓ | ✓ | ✓ | 326 | +| **9.4.1** | [MODIFIED, MOVED FROM 9.1.2] Verify that only the latest recommended cipher suites are enabled, with the strongest cipher suites set as preferred. L3 applications must only support cipher suites which provide forward secrecy. | ✓ | ✓ | ✓ | 326 | | **9.4.2** | [MOVED FROM 9.1.3] Verify that only the latest recommended versions of the TLS protocol are enabled, such as TLS 1.2 and TLS 1.3. The latest version of the TLS protocol should be the preferred option. | ✓ | ✓ | ✓ | 326 | | **9.4.3** | [MOVED FROM 9.2.4] Verify that proper certification revocation, such as Online Certificate Status Protocol (OCSP) Stapling, is enabled and configured. | | ✓ | ✓ | 299 | | **9.4.4** | [ADDED] Verify that Encrypted Client Hello (ECH) is supported and properly configured within the application’s TLS settings to prevent exposure of sensitive metadata, such as the Server Name Indication (SNI), during TLS handshake processes. | | | ✓ | |