I am reviewing TLS configurations in my code, there are several places where there is TLS.
In these places, TLS version is hardcoded to TLSv1.2. I want to make sure that TLS 1.3 is also supported. To do so, which is better, to add tls 1.3 in the code? or to make this variable as a property that is configurable by a flag?
It's always better to not use hardcoded values. Changing a property on a configuration file is trivial, changing a hardcoded value is not.
One could say that if you are supporting both TLS 1.2 and 1.3 there's nothing else left to configure. But if you have a reverse proxy, load balancer or IPS/IDS in place and there's an issue, being able to easily select protocols without recompiling makes troubleshooting easier.
It depends, but using flag may be reasonable when your application works in various environments where newer protocols may not be available. Though a better approach would be to define "minimum supported version". For compatibility purposes you can define TLS 1.2 as minimum, but 1.3 is preferred when available. Or strictly define TLS 1.3 and newer for highly secure environments.
Hardcoded protocol version is useful to reduce potential misconfiguration, but will not support newer protocols without application re-compilation and application upgrade. It is important when you rely on OS-provided TLS stack (similar to SChannel in Microsoft Windows), where you configure TLS stack behavior depending on external availability.
If you have some specific TLS version hard-coded in several places, and if you need to change all those parts of the code whenever you want to adjust the version, that's clearly not a good approach. You make security-related updates unnecessarily annoying (especially if the application is used by other people), which increases the risk that they don't happen. And you may end up with inconsistencies where different components use different TLS versions and configurations for no good reason.
However, the problem is more about the several places and not the hard-coding. You should have an abstraction layer which hides TLS-related details. For example, if you want to make HTTPS requests, then there should be an abstract HTTPS client which takes care of the choosing the right TLS version and settings. This version can then be defined in a single place, be it as a constant in the code, a parameter in a configuration file or whatever seems sensible.
| 脾胃不好吃什么食物可以调理hcv8jop6ns8r.cn | 学考成绩什么时候公布hcv8jop2ns8r.cn | 应用化学是干什么的hcv9jop6ns4r.cn | 变态反应是什么意思hcv9jop2ns8r.cn | 即兴表演是什么意思hebeidezhi.com |
| 走路不稳是什么原因hcv9jop5ns8r.cn | 膝盖疼是什么原因hcv7jop4ns7r.cn | 心绞痛是什么原因引起的tiangongnft.com | 子宫在肚脐眼什么位置hcv8jop2ns4r.cn | 头皮屑多的原因是什么hcv8jop6ns2r.cn |
| 嘴臭是什么原因引起的hcv8jop8ns7r.cn | 924是什么星座hebeidezhi.com | 1955年属什么hcv7jop6ns2r.cn | 哈密瓜不能和什么一起吃hcv8jop6ns6r.cn | 肝火旺吃什么hcv8jop1ns7r.cn |
| 1989年什么生肖wmyky.com | 什么叫同型半胱氨酸hcv8jop1ns6r.cn | 后援会是什么意思hcv7jop9ns3r.cn | 挑染是什么意思gysmod.com | 下颌关节紊乱挂什么科wzqsfys.com |
