Is there some HTTPS standard?

Question

I have to answer this question:

(4) Describe whether the products incorporate or use proprietary, unpublished or non-standard cryptographic functionality, including encryption algorithms or protocols that have not been adopted or approved by a duly recognized international standards body.

My product only uses a HTTPS communication with an API, so I would like to answer by referring some standard.

So my question is: is there some standard (RFC) describing a HTTPS protocol with all of its features like SSL/TLS, different cipher suites, etc.?

Oh. You're looking at the BIS EAR documents. *Good luck*. – vcsjones Sep 08 '16 at 15:35 — vcsjones, Sep 08 '16 at 15:35

score 2 · Accepted Answer · edited Oct 07 '21 at 11:04

2

HTTPS is effectively HTTP over Transport Layer Security. Although HTTPS may use other cryptographic protocols (e.g. SSL) depending on how the server is configured, most up to date servers will be running the latest TLS due to security issues found in older TLS/SSL. So rather than a specification for HTTPS, you probably need the specification for TLS.

The latest version of TLS, 1.2, was defined in RFC 5246:

https://www.rfc-editor.org/rfc/rfc5246

edited Oct 07 '21 at 11:04

Community

1
1

answered Sep 08 '16 at 14:17

Travis

88
7

So if I need to cover all of the possible TLS/SSL options (I don't know which one the server will use), then I need to find out a RFC for each of them? Is there no such RFC which describes the principles of **combination** of a HTTP and the other protocols? – tomasbedrich Sep 09 '16 at 09:01

Is there some HTTPS standard?

1 Answers1