Add CCM

mxsasha · mxsasha · commit 39117455d821 · 2024-07-01T15:26:02.000+02:00
diff --git a/checks/tasks/tls/tls_constants.py b/checks/tasks/tls/tls_constants.py
@@ -40,6 +40,7 @@
 
 
 # NCSC appendix C, derived from table 2, 6 and 7
+# Anything not in these lists, is insufficient.
 CIPHERS_GOOD = [
     "TLS_AES_256_GCM_SHA384",
     "TLS_CHACHA20_POLY1305_SHA256",
@@ -53,6 +54,10 @@
     "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
     "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
     "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+    # CCM is not in appendix C, but footnote 31 makes it Good (CCM_8 is insufficient)
+    "TLS_AES_128_CCM_SHA256",  # TLS 1.3 notation
+    "TLS_ECDHE_ECDSA_WITH_AES_128_CCM",
+    "TLS_ECDHE_ECDSA_WITH_AES_256_CCM",
 ]
 CIPHERS_SUFFICIENT = [
     "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
@@ -83,6 +88,9 @@
     "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",
     "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
     "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384",
+    # CCM is not in appendix C, but footnote 31 makes it Good (on its own)
+    "TLS_DHE_RSA_WITH_AES_128_CCM",
+    "TLS_DHE_RSA_WITH_AES_256_CCM",
 ]
 CIPHERS_PHASE_OUT = [
     "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
@@ -95,6 +103,9 @@
     "TLS_RSA_WITH_AES_128_CBC_SHA256",
     "TLS_RSA_WITH_AES_128_CBC_SHA",
     "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+    # CCM is not in appendix C, but footnote 31 makes it Good (on its own)
+    "TLS_RSA_WITH_AES_128_CCM",
+    "TLS_RSA_WITH_AES_256_CCM",
 ]
 
 # NCSC table 1
