Skip to main content

Appendix A. Differences from RFC 7525

This revision of the Best Current Practices contains numerous changes, and this section is focused on the normative changes.

  • High-level differences:

    • Described the expectations from new TLS-incorporating transport protocols and from new application protocols layered on TLS.

    • Clarified items (e.g., renegotiation) that only apply to TLS 1.2.

    • Changed the status of TLS 1.0 and 1.1 from "SHOULD NOT" to "MUST NOT".

    • Added TLS 1.3 at a "SHOULD" level.

    • Made similar changes to DTLS.

    • Included specific guidance for multiplexed protocols.

    • MUST-level implementation requirement for ALPN and more specific SHOULD-level guidance for ALPN and SNI.

    • Clarified discussion of strict TLS policies, including MUST-level recommendations.

    • Limits on key usage.

    • New attacks since [RFC7457]: ALPACA, Raccoon, Logjam, and "Nonce-Disrespecting Adversaries".

    • RFC 6961 (OCSP status_request_v2) has been deprecated.

    • MUST-level requirement for server-side RSA certificates to have a 2048-bit modulus at a minimum, replacing a "SHOULD".

  • Differences specific to TLS 1.2:

    • SHOULD-level guidance on AES-GCM nonce generation.

    • SHOULD NOT use (static or ephemeral) finite-field DH key agreement.

    • SHOULD NOT reuse ephemeral finite-field DH keys across multiple connections.

    • SHOULD NOT use static Elliptic Curve DH key exchange.

    • 2048-bit DH is now a "MUST" and ECDH minimal curve size is 224 (vs. 192 previously).

    • Support for extended_master_secret is now a "MUST" (previously it was a soft recommendation, as the RFC had not been published at the time). Also removed other, more complicated, related mitigations.

    • MUST-level restriction on session ticket validity, replacing a "SHOULD".

    • SHOULD-level restriction on the TLS session duration, depending on the rotation period of an [RFC5077] ticket key.

    • Dropped TLS_DHE_RSA_WITH_AES from the recommended ciphers.

    • Added TLS_ECDHE_ECDSA_WITH_AES to the recommended ciphers.

    • SHOULD NOT use the old MTI cipher suite, TLS_RSA_WITH_AES_128_CBC_SHA.

    • Recommended curve X25519 alongside NIST P-256.

  • Differences specific to TLS 1.3:

    • New TLS 1.3 capabilities: 0-RTT.

    • Removed capabilities: renegotiation and compression.

    • Added mention of TLS Encrypted Client Hello, but no recommendation for use until it is finalized.

    • SHOULD-level requirement for forward secrecy in TLS 1.3 session resumption.

    • Generic MUST-level guidance to avoid 0-RTT unless it is documented for the particular protocol.

Last updated on