Elevated minimum TLS requirement for German government

The German Federal Agency for IT Security (Bundesamt für Sicherheit in der Informationstechnik, BSI), recently published a new minimum requirement for TLS for the German federal authorities, also discussed here:

Essentially the new requirement says to use TLS 1.3 and TLS 1.2 only with PFS as a minimum.

Greenbone OS can be configured to be compliant with this requirement with this cipher string:

PFS:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0:-SHA1:-SIGN-RSA-SHA1:-SIGN-ECDSA-SHA1

For this, log into the GOS administration and enter menu “Setup->Services->HTTPS->Ciphers”.
The current default allows to use TLS 1.1 and TLS 1.2 without PFS. So, what you need to add to the default is to require PFS and to forbid TLS 1.1:

Afterwards apply “Save” to finally activate the change. See also the section on HTTPS configuration in our manual.

Warning: Old browser won’t support this standard

Elevating the minimum TLS requirement to this level exceeds the capabilities of some web browsers. For example Internet Explorer as shipped with Windows 7 will not be able to access the GSM with the above elevated minimum requirement.

If it turns out that you do not have a browser that support the elevated requirement, simply revert the cipher string back to the previous setting by removing the two elements you added before.

4 Likes

Note: This topic has been unlisted and archived as the contents are now outdated.

With Greenbone OS 21.04, released in 2021, the way HTTPS protocols and ciphers are configured has changed, see New Features and Changes of Default Behaviour - HTTPS (GOS 21.04).

For the currently supported version Greenbone OS 22.04, the configuration is documented here: