This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Strong SSL Cipher and session Fixation -Apigee

Posted on 09-21-2022 12:41 PM
aramkrishna6
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hi,

Do we have guidance on to configure strong SSL Cipher configuration with TLS 1.2 for Apigee OPDK.

Also session Fixation  with respect to OWASP for apigee.

Reviewed Top 10 OWASP doc from apigee did not cover above information.

Let me know, if  missing anything. 

@dino @kurtkanaskie 

Solved Solved
0 2 161
Topic Labels
Jump to Solution
0 Likes
2 ACCEPTED SOLUTIONS

Posted on --/--/---- --:-- AM
kurtkanaskie
Staff
Reply posted on --/--/---- --:-- AM

Not exactly sure what you mean by "strong SSL Cipher" but the article Empirical Analysis of Valid Values for VirtualHost ssl_ciphers for Testing TLS 1.2 identifies valid SSL cipher values to configure Virtual Hosts to use TLS 1.2.

As for "session fixation" A2:2017 - Broken Authentication and Session Management addresses this, it's not really an Apigee product issue, more of an implementation flaw in applications.

Hope that helps!

View solution in original post

Jump to Solution

Posted on --/--/---- --:-- AM
API-Evangelist
Silver 5
Silver 5
Reply posted on --/--/---- --:-- AM

May be follow Financial-grade API standards &  restrict as per https://openid.net/specs/openid-financial-api-part-2-wd-06.html#tls-considerations 

Again speak to your security team for any further guidance. This cipher restrictions can be applied on virtual host -https://docs.apigee.com/how-to-guides/configuring-cipher-suites-on-virtual-host-routers

 

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
kurtkanaskie
Staff
Reply posted on --/--/---- --:-- AM

Not exactly sure what you mean by "strong SSL Cipher" but the article Empirical Analysis of Valid Values for VirtualHost ssl_ciphers for Testing TLS 1.2 identifies valid SSL cipher values to configure Virtual Hosts to use TLS 1.2.

As for "session fixation" A2:2017 - Broken Authentication and Session Management addresses this, it's not really an Apigee product issue, more of an implementation flaw in applications.

Hope that helps!

Jump to Solution

Posted on --/--/---- --:-- AM
API-Evangelist
Silver 5
Silver 5
Reply posted on --/--/---- --:-- AM

May be follow Financial-grade API standards &  restrict as per https://openid.net/specs/openid-financial-api-part-2-wd-06.html#tls-considerations 

Again speak to your security team for any further guidance. This cipher restrictions can be applied on virtual host -https://docs.apigee.com/how-to-guides/configuring-cipher-suites-on-virtual-host-routers

 

Jump to Solution
Top Solution Authors
View all