Skip to content

Update sslyze branch to NCSC 2025 #1800

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: sslyze
Choose a base branch
from
Open

Update sslyze branch to NCSC 2025 #1800

wants to merge 1 commit into from

Conversation

mxsasha
Copy link
Collaborator

@mxsasha mxsasha commented Jun 9, 2025
edited
Loading

  • EdDSA auth detected as sufficient? (3.3.2)
  • Various min key length constants, do they still apply?
  • RSA length requirements (3.3.2.1)
  • RSA padding requirements (3.3.2.1)
  • Updated FFDHE requirements (3.3.3.1)
  • Verify we see TLS compression (3.4.1)
  • Add test for resumption (3.4.3)

Discuss:

  • Update renegotiation settings: we only have good/bad for on/off, should we add sufficient for limited secure? Also ensure unlimited secure reneg is phase out, insecure is insufficient (3.4.2) -> Fix this inside nassl to return the number of attempts. Gelimiteerd=maximum 10 permitted.
  • kex_hash removal? -> Check whether this SHA1 is even possible in TLS 1.1. If yes, update the check to reject SHA1. If no, the check is obsolete.
  • Extended master secret? -> Implement check as currently allowed by nassl

Interesting data point: the SHA2 key exchange check had a bug in the sslyze branch, which we did not notice in comparisons probably because it never fails.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mxsasha