ATNA for Connectathon: *CONFIRMED* - TLS version & ciphersuite

[Lynn Felhofer]

Attention ATNA testers (one more time),

Last week, I sent an inquiry (copied below) to this group proposing a change to the list of cipher suites used for peer-to-peer testing of transactions over TLS (eg XDS, XCA and others).   I proposed no longer using TLS_RSA_WITH_AES_128_CBC_SHA, which had been part of CAT testing for many years.

Thank you to all who responded.  While I did not hear from every system testing ATNA, there was no one who indicated that the newer cipher suites would cause them a problem.

Thus,

for the March 2021 IHE Connectathon, or peer-to-peer transactions using TLS test partners will use:

• TLS 1.2
• cipher suite  - any one of:
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

• and, like always, a digital certificate obtained from Gazelle Security Suite

I have updated the information on our ATNA Resources page to reflect this policy:  https://gazelle.ihe.net/content/atna-testing-digital-certificates-ihe-connectathons#SecurityPolicy

• A small point:  Our current pre-Connectathon test 11108 is now out of date because it checks for TLS 1.2 with the previous/weak cipher.   You can ignore that test, and we will update it for the June Connectathon.

On a related topic, some of you have noticed missing entries on the TLS tab of your ATNA Questionnaire.  This affects some (not all) questionnaires.  I am working with the Gazelle dev team on a remedy and I expect a fix soon.   If you are  affected, you will hear from me.

Contact me if you have questions or concerns about testing ATNA,

Lynn

On Feb 10, 2021, at 8:00 PM, Lynn Felhofer <felhof...@gmail.com> wrote:

Attention ATNA testers,

Last week I sent information (below) about ATNA testing that included information about testing TLS, both with the Gazelle Security Suite tool and for peer-to-peer testing during Connectathon week.

• Gazelle Security Suite enables you to test various TLS configurations (TLS versions and different cipher suites) as both a client and server
• For peer-to-peer testing during Connectathon week, for the past 2-3 years at both NE and EU Connectathons, we have selected TLS 1.2 with TLS_RSA_WITH_AES_128_CBC_SHA.   We selected that cipher suite for prior Connectathons because some participants were using software libraries that did not support the stronger cipher suites specified in the new ATNA options with BCP195

CURRENT ISSUE:  I have a report from one Connectahon participant that the more recent software libraries they are using no longer have support for TLS_RSA_WITH_AES_128_CBC_SHA, so it is impossible for them to configure that cipher suite with TLS 1.2     If that is true for one test system, it probably is true for others.

QUESTION:    During Connectathon week, for peer-to-peer testing using TLS (eg XDS transactions, others…), if we specified using TLS 1.2 with one of the following stronger cipher suites...

• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

...would that be a problem for you?

If you could investigate this and send me an email identifying your test system name and — “problem", or "no problem" -- I’d like to confirm this and make a decision on this early next week.

Thanks for your support in avoiding a “Connectahton Monday TLS surprise”

Lynn