Scan for supported SSL/TLS cipher suites

Description

The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) has published a minimum TLS standard (German version only: Mindeststandard des BSI zur Verwendung von Transport Layer Security (TLS)).

The standard requires to use at least TLS version 1.2 with Perfect Forward Secrecy (PFS). As listed in guideline TR-02102-2 (Technical Guideline TR-02102-2 Cryptographic Mechanisms: Recommendations and Key Lengths), only some cipher suites fulfill this requirement.

With the attached scan configuration, it is possible to test supported cipher suites for a port and warn about cipher suites not fulfilling this policy (GSF content only).

Details

Only cipher suites for TLS version 1.2 and 1.3 with PFS are listed as allowed cipher suites for a port per default. In VT “SSL/TLS: Supported Cipher Suites” (OID: 1.3.6.1.4.1.25623.1.0.109844) the list for allowed cipher suites for each TLS version can be modified.

The VT “SSL/TLS: Supported Cipher Suites Violations” (OID: 1.3.6.1.4.1.25623.1.0.109846) lists all cipher suites found for this port besides the allowed ones, i.e. ports not compliant with the policy.

The VT “SSL/TLS: Supported Cipher Suites Ok” (OID: 1.3.6.1.4.1.25623.1.0. 109845) lists all found allowed cipher suites for the port, if " Report passed tests" is enabled.

Scan Config

Moderator note: This is an older scan config that does not work with current versions of Greenbone software, but remains here for reference purposes.

Download this scan configuration (662.2 KB) and run a scan. The scan does not need to be authenticated.

You can modify the allowed cipher suites in VT “SSL/TLS: Supported Cipher Suites” (OID: 1.3.6.1.4.1.25623.1.0.109844) in family Policy.

Included VTs