diff --git a/checks/tasks/tls/tls_constants.py b/checks/tasks/tls/tls_constants.py index 03c5339b1..3158ef091 100644 --- a/checks/tasks/tls/tls_constants.py +++ b/checks/tasks/tls/tls_constants.py @@ -5,7 +5,7 @@ from sslyze import TlsVersionEnum -# NCSC guideline B3-2 / table 2 and 3 +# NCSC 3.3.2 / 3.3.5 CERT_SIGALG_GOOD = [ SignatureAlgorithmOID.RSA_WITH_SHA256, SignatureAlgorithmOID.RSA_WITH_SHA384, @@ -20,17 +20,28 @@ CERT_RSA_DSA_MIN_KEY_SIZE = 2048 CERT_CURVE_MIN_KEY_SIZE = 224 -# NCSC table 9 +# NCSC 3.3.2.1 CERT_CURVES_GOOD = [x25519.X25519PublicKey, x448.X448PublicKey] -CERT_EC_CURVES_GOOD = [ec.SECP384R1, ec.SECP256R1] +CERT_EC_CURVES_GOOD = [ + ec.SECP521R1, + ec.SECP384R1, + ec.SECP256R1, + ec.BrainpoolP512R1, + ec.BrainpoolP384R1, + ec.BrainpoolP256R1, +] CERT_EC_CURVES_PHASE_OUT = [ec.SECP224R1] FS_ECDH_MIN_KEY_SIZE = 224 FS_DH_MIN_KEY_SIZE = 2048 +# NCSC 3.3.2.1 FS_EC_GOOD = [ OpenSslEcNidEnum.SECP521R1, OpenSslEcNidEnum.SECP384R1, OpenSslEcNidEnum.SECP256R1, + OpenSslEcNidEnum.brainpoolP512r1, + OpenSslEcNidEnum.brainpoolP384r1, + OpenSslEcNidEnum.brainpoolP256r1, OpenSslEcNidEnum.X25519, OpenSslEcNidEnum.X448, ] @@ -39,76 +50,64 @@ ] -# NCSC appendix C, derived from table 2, 6 and 7 -# Anything not in these lists, is insufficient. +# NCSC appendix B, derived from 3.3.3, 3.3.4 +# PQC not yet supported by us +# Anything not in these lists is insufficient. CIPHERS_GOOD = [ "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", +] +CIPHERS_SUFFICIENT = [ "TLS_AES_128_GCM_SHA256", - # NCSC appendix C lists these as sufficient, but read - # footnote 52 carefully. As we test TLS version separate - # from cipher list, we consider them good. - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_AES_128_CCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_256_CCM", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_128_CCM", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - # CCM is not in appendix C, but footnote 31 makes it Good (CCM_8 is insufficient) - "TLS_AES_128_CCM_SHA256", # TLS 1.3 notation - "TLS_ECDHE_ECDSA_WITH_AES_128_CCM", - "TLS_ECDHE_ECDSA_WITH_AES_256_CCM", ] -CIPHERS_SUFFICIENT = [ +CIPHERS_PHASE_OUT = [ + "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384", + "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384", + "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384", + "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384", + "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - # CAMELLIA is not in appendix C but is sufficient (footnote 31) - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", + "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384", - "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384", - # CCM is not in appendix C, but footnote 31 makes it Good (on its own) - "TLS_DHE_RSA_WITH_AES_128_CCM", + "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256", + "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384", + "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384", + "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256", + "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256", + "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_DHE_RSA_WITH_AES_256_CCM", -] -CIPHERS_PHASE_OUT = [ - "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_RSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_AES_128_GCM_SHA256", - "TLS_RSA_WITH_AES_256_CBC_SHA256", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_AES_128_CBC_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_3DES_EDE_CBC_SHA", - # CCM is not in appendix C, but footnote 31 makes it Good (on its own) - "TLS_RSA_WITH_AES_128_CCM", - "TLS_RSA_WITH_AES_256_CCM", + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", + "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DHE_RSA_WITH_AES_128_CCM", + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", ] -# NCSC table 1 +# NCSC 3.3.1 PROTOCOLS_GOOD = [ TlsVersionEnum.TLS_1_3, ] @@ -116,10 +115,7 @@ PROTOCOLS_SUFFICIENT = [ TlsVersionEnum.TLS_1_2, ] -PROTOCOLS_PHASE_OUT = [ - TlsVersionEnum.TLS_1_1, - TlsVersionEnum.TLS_1_0, -] +PROTOCOLS_PHASE_OUT = [] # NCSC table 5 # This is eventually passed to openssl's SSL_set1_sigalgs,