Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BSI TLS policy update TR-02102-2 version 2019-01 #2195

merged 5 commits into from Nov 15, 2019


Copy link

securitykernel commented Nov 14, 2019

Updates the BSI TLS policy to version 2019-01 of the underlying technical guideline BSI TR-02102-2.

  • Add CCM ciphersuites
  • Add SHA-512 as permitted signature hash algorithm
  • Remove FFDHE groups ffdhe6144 and ffdhe8192, as these are not explicitly listed in sec. 3.3.2
  • Remove non-ephemeral TLS_PSK_* ciphersuites, they are explicitly not permitted
BSI TR-02102-2 version 2019-01 explicitly lists
the FFDHE groups recommended now. ffdhe6144 and
ffdhe8192 are not listed, so we remove them from
the BSI TLS policy.
BSI TR-02102-1 version 2019-01 added CCM ciphersuites
as recommended, so we add them to the BSI TLS policy.
Copy link

randombit left a comment

Looks fine just one question

@@ -420,12 +420,12 @@ class BOTAN_PUBLIC_API(2,0) BSI_TR_02102_2 : public Policy
std::vector<std::string> allowed_ciphers() const override
return std::vector<std::string>({"AES-256/GCM", "AES-128/GCM", "AES-256", "AES-128" });
return std::vector<std::string>({"AES-256/GCM", "AES-128/GCM", "AES-256", "AES-128", "AES-256/CCM", "AES-128/CCM"});

This comment has been minimized.

Copy link

randombit Nov 14, 2019


Are you sure you want to prioritize CBC over CCM?

This comment has been minimized.

Copy link

securitykernel Nov 15, 2019

Author Collaborator

Hmm, not really. Changed the order in 4fca820.


This comment has been minimized.

Copy link

codecov-io commented Nov 14, 2019

Codecov Report

Merging #2195 into master will increase coverage by <.01%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #2195      +/-   ##
+ Coverage   92.34%   92.35%   +<.01%     
  Files         553      553              
  Lines       60226    60226              
  Branches     6383     6383              
+ Hits        55614    55619       +5     
+ Misses       4612     4607       -5
Impacted Files Coverage Δ
src/bogo_shim/bogo_shim.cpp 89.12% <0%> (+0.17%) ⬆️
src/lib/pubkey/dl_group/dl_group.cpp 93.3% <0%> (+1.18%) ⬆️
src/lib/misc/cryptobox/cryptobox.cpp 95.23% <0%> (+1.58%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 292330e...4fca820. Read the comment docs.

randombit added a commit that referenced this pull request Nov 15, 2019
@randombit randombit merged commit 4fca820 into randombit:master Nov 15, 2019
6 checks passed
6 checks passed
LGTM analysis: Python No code changes detected
LGTM analysis: C/C++ No new or fixed alerts
codecov/patch Coverage not affected when comparing 292330e...4fca820
codecov/project 92.35% (+<.01%) compared to 292330e
continuous-integration/appveyor/pr AppVeyor build succeeded
continuous-integration/travis-ci/pr The Travis CI build passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
3 participants
You can’t perform that action at this time.