I was reviewing the config.h file used to configure mbedtls. It allows fine grained selection many of the features of the library. By default, it disables SSL 3.0 and allows TLS 1.0, 1.1 and 1.2. Can we disable 1.0 and 1.1 as well? The security spec refers to RFC 6347, which suggests to me that only 1.2 is allowed. Supporting 1.1 and 1.0 in IoTivity is extra attack surface and code size that we can hopefully avoid. Is anyone aware of any backwards compatibility issues this would introduce with previous versions of IoTivity? (if so, do we care?)
I'd like this one to be done in 1.2 so that we don't have some devices that do support 1.0 and 1.1. https://jira.iotivity.org/browse/IOT-1429 I would like to disable many other things as well (everything that isn't required to implement the spec), but this can be done post-1.2. I've created a spec bug too to make this clear, hopefully in the OCF 1.0 spec https://bugzilla.openconnectivity.org/show_bug.cgi?id=1180 Greg -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.iotivity.org/pipermail/iotivity-dev/attachments/20161008/60b0e8c3/attachment.html>
