Skip to content

Commit

Permalink
Test for conformance to NIST SP 800-52
Browse files Browse the repository at this point in the history
This commit adds a --nist switch (and a corresponding NIST environment variable). If the switch is used, then testssl.sh will perform some checks for conformance to NIST Special Publication 800-52 Revision 2. For example, ratings of cipher suites will be based on whether they are permitted by SP 800-52. In addition, when cipher suites that offer forward secrecy are offered, ratings for the ephemeral ellitic curves and/or finite field groups offered are based on conformance to SP 800-56A Revision 3 (and in particular Appendix D of that document).
  • Loading branch information
dcooper16 committed Oct 17, 2024
1 parent 6452ec9 commit a868b9c
Show file tree
Hide file tree
Showing 4 changed files with 594 additions and 134 deletions.
2 changes: 2 additions & 0 deletions doc/testssl.1
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,8 @@ A typical internal conversion to testssl\.sh file format from nmap's grep(p)able
\fB\-\-phone\-out\fR Checking for revoked certificates via CRL and OCSP is not done per default\. This switch instructs testssl\.sh to query external \-\- in a sense of the current run \-\- URIs\. By using this switch you acknowledge that the check might have privacy issues, a download of several megabytes (CRL file) may happen and there may be network connectivity problems while contacting the endpoint which testssl\.sh doesn't handle\. PHONE_OUT is the environment variable for this which needs to be set to true if you want this\.
.P
\fB\-\-add\-ca <CAfile>\fR enables you to add your own CA(s) in PEM format for trust chain checks\. \fBCAfile\fR can be a directory containing files with a \.pem extension, a single file or multiple files as a comma separated list of root CAs\. Internally they will be added during runtime to all CA stores\. This is (only) useful for internal hosts whose certificates are issued by internal CAs\. Alternatively ADDTL_CA_FILES is the environment variable for this\.
.P
\fB\-\-nist\fR indicates that testing should check for conformance to the recommendations of the U\.S\. National Institute of Standards and Technology (NIST), including NIST Special Publication (SP) 800-53 Revision 2 and SP 800-56A Revision 3\. This switch will affect, for example, the ratings that are applied to cipher suites\. NIST is the environment variable for this which needs to be set to true if you want this\.
.SS "SINGLE CHECK OPTIONS"
Any single check switch supplied as an argument prevents testssl\.sh from doing a default run\. It just takes this and if supplied other options and runs them \- in the order they would also appear in the default run\.
.P
Expand Down
2 changes: 2 additions & 0 deletions doc/testssl.1.html

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions doc/testssl.1.md
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,8 @@ The same can be achieved by setting the environment variable `WARNINGS`.

`--add-ca <CAfile>` enables you to add your own CA(s) in PEM format for trust chain checks. `CAfile` can be a directory containing files with a \.pem extension, a single file or multiple files as a comma separated list of root CAs. Internally they will be added during runtime to all CA stores. This is (only) useful for internal hosts whose certificates are issued by internal CAs. Alternatively ADDTL_CA_FILES is the environment variable for this.

`--nist` indicates that testing should check for conformance to the recommendations of the U.S. National Institute of Standards and Technology (NIST), including NIST Special Publication (SP) 800-53 Revision 2 and SP 800-56A Revision 3. This switch will affect, for example, the ratings that are applied to cipher suites. NIST is the environment variable for this which needs to be set to true if you want this.


### SINGLE CHECK OPTIONS

Expand Down
Loading

0 comments on commit a868b9c

Please sign in to comment.