ANSSI TLS recommendations v1.2 in Cryptosense Discovery

Bertrand Bonnefoy-Claudet
May 7, 2020

Our cryptography service discovery site discovery.cryptosense.com detects servers under a given domain name and runs SSH and TLS scanners against each of them.  The results are checked against best practices carefully defined by Cryptosense. You can also choose to check your results against other widely known standards: ECRYPT and NIST.

Cryptosense Discovery now provides a new standard, "ANSSI", based on the recent new version of the security recommendations for TLS by ANSSI, the French government cybersecurity agency.

Why would I care about recommendations from ANSSI?

Broadly speaking, ANSSI is the French equivalent of NIST, and their recommendations are usually meant for French OIVs (Opérateur d'importance vitale - companies and agencies considered vital for the French economy and the security of the state), and anyone who wants to supply technology to the French government.

However, even if you are outside those categories, the ANSSI have real experience of state-level actor attack capabilities, so it's interesting to see what they recommend.

What's new in v1.2 of the ANSSI recommendations?

The previous publication is v1.1 from August 2016, which is a long time in cryptography years. There are too many changes to list them all, but here are the most notable ones:

  • Support for TLS 1.0 and TLS 1.1 is now discouraged.  TLS 1.3 is the preferred option, while TLS 1.2 is only tolerated.
  • 3DES is not tolerated anymore.
  • Cipher suites with CBC+HMAC must use the Encrypt-then-MAC extension.
  • More TLS extensions should be avoided, like max_fragment_length, ec_point_formats and early_data.
  • Session resumption should use key exchange.
  • The 0-RTT option in TLS 1.3 should be avoided.

How hard is it to check your servers?

To scan servers, you could use popular tools such as Nmap or testssl.sh, or well known online scanners such as those from SSL Labs or Hardenize.  

Unfortunately, none of the tools we know of provide enough data to check the ANSSI policies.  You would typically need a combination of them, and some manual work, to be able to check all the rules.

For instance, unusual details necessary for a full ANSSI analysis include TLS extensions and X.509 revocation data.

What is checked by Cryptosense Discovery?

Discovery finds servers related to a given a domain name and scans them.  We support a number of the specific requirements ANSSI contains, but not all. Since the ANSSI recommendations cover more than just servers, some of them don't apply to Discovery.

Below is a table of the ANSSI rules currently checked by Cryptosense Discovery at the time of writing this article:

IDSummaryNotesR3Prefer TLS 1.3 and accept TLS 1.2Partial support.R4Do not use SSLv2, SSLv3, TLS 1.0 and TLS 1.1✓R5Authenticate the server with key exchangePartial support.R6Exchange keys with PFS✓R7Exchange keys with ECDHE or DHEPartial support.R8Authenticate the server with a certificate✓R9Prefer AES or ChaCha20, tolerate Camellia and ARIA✓R10Use an authenticated mode of encryption, or at least CBC with Encrypt-then-MACPartial support.R11Use SHA-2 as hashing function✓R13Prefer server order of cipher suites✓R19Do not use TLS compression✓R24Present a certificate signed with SHA-2✓R25Present a certificate valid for at most 3 years✓R26Use keys of sufficient lengths✓R27Present an appropriate KeyUsage✓R28Present an appropriate ExtendedKeyUsage✓R33Present a certificate with revocation sources✓

Of the applicable recommendations, more may be added to Discovery in the future. If you have feedback or are interested in the addition of some of those rules, please get in touch.

To test your servers against those new rules, go to discovery.cryptosense.com and select "ANSSI" in the left column of the results page.