Skip to content
This repository has been archived by the owner on Apr 14, 2023. It is now read-only.

Guidance for mitigating obsolete Transport Layer Security configurations. #nsacyber

License

Notifications You must be signed in to change notification settings

nsacyber/Mitigating-Obsolete-TLS

Repository files navigation

Mitigating Obsolete TLS

This repository lists a number of tools, SNORT signatures, and web server configurations to help network owners detect and remediate the use of obsolete TLS. More information is available in NSA Cybsecurity Information Sheet (CSI) Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations:

Background

Encryption protocols, such as Transport Layer Security (TLS) and Secure Sockets Layer (SSL), provide data protection as it travels through a network. However, older versions of these protocols become obsolete as technology changes and vulnerabilities surface. Network connections employing obsolete encryption protocols are at an elevated risk of exploitation and decryption. As a result, all systems should detect and remediate the use of deprecated forms of encryption for TLS and SSL protocols.

See the TLS background information page for more information.

TLS Scanning and Configuration Tools

Note that these tools and services are listed as examples, and are not recommended, endorsed, or certified for any use.

Scanning Tools

Comprehensive analysis of servers can be performed by attempting to initiate weak TLS sessions using custom tools and seeing if the server agrees to utilize obsolete cryptography. There are a number of open source tools and commercial services available that can perform active scans to detect non-compliant TLS versions, cipher suites, and key exchanges. The following example tools claim to be able to scan for obsolete cryptography.

Configuration Tools

The following example tools can assist, in addition to this repository, in creating server configuration files using compliant TLS versions, cipher suites, and key exchanges.

SNORT Rules

The provided SNORT rules are alerting rules. Investigation for accuracy is required for hits. The rules have been tested, but every system can be configured differently, so ensure that the signature is triggered properly or is adjusted as needed based on the sensors and the environment.

See SNORT rules readme and text files for more information.

Detecting Secure TLS

See SNORT rules for more information.

Secure TLS Web Server Configurations

See web server configuration readme and text files for more information.

License

See LICENSE.

Contributing

See CONTRIBUTING.

Disclaimer

See DISCLAIMER.

About

Guidance for mitigating obsolete Transport Layer Security configurations. #nsacyber

Topics

Resources

License

Stars

Watchers

Forks