Partial update to NCSC 2025

Author: mxsasha

checks/tasks/tls/tls_constants.py

@@ -5,7 +5,7 @@
 from sslyze import TlsVersionEnum
 
 
-# NCSC guideline B3-2 / table 2 and 3
+# NCSC 3.3.2 / 3.3.5
 CERT_SIGALG_GOOD = [
     SignatureAlgorithmOID.RSA_WITH_SHA256,
     SignatureAlgorithmOID.RSA_WITH_SHA384,
@@ -20,17 +20,28 @@
 CERT_RSA_DSA_MIN_KEY_SIZE = 2048
 CERT_CURVE_MIN_KEY_SIZE = 224
 
-# NCSC table 9
+# NCSC 3.3.2.1
 CERT_CURVES_GOOD = [x25519.X25519PublicKey, x448.X448PublicKey]
-CERT_EC_CURVES_GOOD = [ec.SECP384R1, ec.SECP256R1]
+CERT_EC_CURVES_GOOD = [
+    ec.SECP521R1,
+    ec.SECP384R1,
+    ec.SECP256R1,
+    ec.BrainpoolP512R1,
+    ec.BrainpoolP384R1,
+    ec.BrainpoolP256R1,
+]
 CERT_EC_CURVES_PHASE_OUT = [ec.SECP224R1]
 FS_ECDH_MIN_KEY_SIZE = 224
 FS_DH_MIN_KEY_SIZE = 2048
 
+# NCSC 3.3.2.1
 FS_EC_GOOD = [
     OpenSslEcNidEnum.SECP521R1,
     OpenSslEcNidEnum.SECP384R1,
     OpenSslEcNidEnum.SECP256R1,
+    OpenSslEcNidEnum.brainpoolP512r1,
+    OpenSslEcNidEnum.brainpoolP384r1,
+    OpenSslEcNidEnum.brainpoolP256r1,
     OpenSslEcNidEnum.X25519,
     OpenSslEcNidEnum.X448,
 ]
@@ -39,87 +50,72 @@
 ]
 
 
-# NCSC appendix C, derived from table 2, 6 and 7
-# Anything not in these lists, is insufficient.
+# NCSC appendix B, derived from 3.3.3, 3.3.4
+# PQC not yet supported by us
+# Anything not in these lists is insufficient.
 CIPHERS_GOOD = [
     "TLS_AES_256_GCM_SHA384",
     "TLS_CHACHA20_POLY1305_SHA256",
+]
+CIPHERS_SUFFICIENT = [
     "TLS_AES_128_GCM_SHA256",
-    # NCSC appendix C lists these as sufficient, but read
-    # footnote 52 carefully. As we test TLS version separate
-    # from cipher list, we consider them good.
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+    "TLS_AES_128_CCM_SHA256",
     "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+    "TLS_ECDHE_ECDSA_WITH_AES_256_CCM",
     "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+    "TLS_ECDHE_ECDSA_WITH_AES_128_CCM",
     "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
     "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    # CCM is not in appendix C, but footnote 31 makes it Good (CCM_8 is insufficient)
-    "TLS_AES_128_CCM_SHA256",  # TLS 1.3 notation
-    "TLS_ECDHE_ECDSA_WITH_AES_128_CCM",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_CCM",
 ]
-CIPHERS_SUFFICIENT = [
+CIPHERS_PHASE_OUT = [
+    "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384",
+    "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",
+    "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256",
+    "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256",
+    "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384",
+    "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384",
+    "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256",
+    "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256",
     "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
     "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+    "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384",
+    "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384",
+    "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256",
+    "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+    "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384",
+    "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384",
+    "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256",
+    "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256",
     "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
     "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
-    "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
     "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
-    "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
-    "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
-    "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
-    # CAMELLIA is not in appendix C but is sufficient (footnote 31)
-    "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
-    "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
-    "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
+    "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384",
     "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
-    "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
-    "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
-    "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
-    "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",
-    "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
-    "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384",
-    # CCM is not in appendix C, but footnote 31 makes it Good (on its own)
-    "TLS_DHE_RSA_WITH_AES_128_CCM",
+    "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256",
+    "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+    "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384",
+    "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384",
+    "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256",
+    "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256",
+    "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
     "TLS_DHE_RSA_WITH_AES_256_CCM",
-]
-CIPHERS_PHASE_OUT = [
-    "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
-    "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
-    "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
-    "TLS_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_RSA_WITH_AES_256_CBC_SHA256",
-    "TLS_RSA_WITH_AES_256_CBC_SHA",
-    "TLS_RSA_WITH_AES_128_CBC_SHA256",
-    "TLS_RSA_WITH_AES_128_CBC_SHA",
-    "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
-    # CCM is not in appendix C, but footnote 31 makes it Good (on its own)
-    "TLS_RSA_WITH_AES_128_CCM",
-    "TLS_RSA_WITH_AES_256_CCM",
+    "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
+    "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+    "TLS_DHE_RSA_WITH_AES_128_CCM",
+    "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
 ]
 
-# NCSC table 1
+# NCSC 3.3.1
 PROTOCOLS_GOOD = [
     TlsVersionEnum.TLS_1_3,
 ]
 
 PROTOCOLS_SUFFICIENT = [
     TlsVersionEnum.TLS_1_2,
 ]
-PROTOCOLS_PHASE_OUT = [
-    TlsVersionEnum.TLS_1_1,
-    TlsVersionEnum.TLS_1_0,
-]
+PROTOCOLS_PHASE_OUT = []
 
 # NCSC table 5
 # This is eventually passed to openssl's SSL_set1_sigalgs,