Elevated minimum TLS requirement for German government


#1

The German Federal Agency for IT Security (Bundesamt für Sicherheit in der Informationstechnik, BSI), recently published a new minimum requirement for TLS for the German federal authorities, also discussed here:

Essentially the new requirement says to use TLS 1.3 and TLS 1.2 only with PFS as a minimum.

Greenbone OS can be configured to be compliant with this requirement with this cipher string:

PFS:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0:-SHA1:-SIGN-RSA-SHA1:-SIGN-ECDSA-SHA1

For this, log into the GOS administration and enter menu “Setup->Services->HTTPS->Ciphers”.
The current default allows to use TLS 1.1 and TLS 1.2 without PFS. So, what you need to add to the default is to require PFS and to forbid TLS 1.1:

Afterwards apply “Save” to finally activate the change. See also the section on HTTPS configuration in our manual.

Warning: Old browser won’t support this standard

Elevating the minimum TLS requirement to this level exceeds the capabilities of some web browsers. For example Internet Explorer as shipped with Windows 7 will not be able to access the GSM with the above elevated minimum requirement.

If it turns out that you do not have a browser that support the elevated requirement, simply revert the cipher string back to the previous setting by removing the two elements you added before.