Add TLS 1.3-only support for API Security Testing
Problem to solve
Servers that offer only the TLSv1.3 ciphers can't be used with the API Security Testing analyzer because it is not supported. This is an adoption barrier that reduces the number of customers who might use DAST API.
When the DAST_API_TARGET_URL
offers only TLSv1.3, the dast_api
job fails with:
17:12:02 [ERR] DAST API: Testing failed: Failed to establish TLS connection with 'dev.ops.brie.lol:443'. protocol_version(70).
Overview
TLS 1.3 has been available since 2018 and is becoming more widely adopted. Adoption is ~68% today.
As of January 1, 2024, TLS 1.3 is required to comply with NIST standards (NIST SP 800-52).
Proposal
Add TLS 1.3 support for DAST API and API Fuzzing.
Implementation Plan
-
Review why proxy must be disabled to use native TLS stack -
Default to using native TLS stack -
Migrate impacted tests to work with runnerMoved into separate issue.