Context
TLS endpoints are typically audited against a baseline (e.g. Mozilla SSL
profile intermediate or modern, custom cipher whitelist, mandatory OCSP
stapling). Each compliance dimension has its own threshold semantic.
CONTRIBUTING's "one tool, one task" rule keeps this out of the http
availability plugin and out of the cert certificate plugin.
The output model follows public TLS-test services (Qualys SSL Labs,
testssl.sh, sslyze): an overall grade A+ to F based on protocol support,
cipher strength, key exchange and vulnerability flags.
Scope
Plugin tls-compliance. Connects to the endpoint and probes:
- Negotiated TLS version (default highest; per-version probes optional).
- Supported protocols (TLS 1.2, 1.3; flag SSLv2, SSLv3, TLS 1.0, TLS 1.1
as failing).
- Cipher suites offered (server-side preference if obtainable).
- Key exchange parameters (forward secrecy, named groups).
- OCSP stapling presence and validity.
- ALPN advertised protocols.
- Compression (CRIME), heartbeat extension, insecure renegotiation.
Parameters:
--always-ok, --insecure, --timeout--url, --sni-hostname--profile modern|intermediate|old|custom (Mozilla SSL profiles;
default intermediate)--min-tls 1.2|1.3 (overrides profile)--cipher-allow (append regex; case-insensitive),
--cipher-deny (append regex)--require-ocsp-stapling--lengthy, --brief--warning, --critical: Nagios ranges over the numeric grade.
Output:
- Default: overall grade (A+ to F) plus failing dimensions.
--lengthy: tables for protocols, cipher suites, key exchange,
vulnerability flags.
Perfdata: numeric grade, tls_handshake_time, plus boolean flags per
checked dimension (ocsp_stapling, forward_secrecy, tls13, ...).
Dependencies
Linuxfabrik/lib#137 (timing telemetry, peer_cert_der).cryptography (already transitive).
Reference
- Upstream
check_curl.c for the TLS-related parameter shape (-S/--ssl,
--sni, --ca-cert) we stay compatible with where it makes sense.
- Qualys SSL Labs (ssllabs.com) for the grading model.
- sslyze (https://github.com/nabla-c0d3/sslyze) for the probe matrix.
- testssl.sh as additional reference for dimensions.
example plugin for structure.
Classification
New plugin. Enhancement.
Context
TLS endpoints are typically audited against a baseline (e.g. Mozilla SSL
profile
intermediateormodern, custom cipher whitelist, mandatory OCSPstapling). Each compliance dimension has its own threshold semantic.
CONTRIBUTING's "one tool, one task" rule keeps this out of the
httpavailability plugin and out of the
certcertificate plugin.The output model follows public TLS-test services (Qualys SSL Labs,
testssl.sh, sslyze): an overall grade A+ to F based on protocol support,
cipher strength, key exchange and vulnerability flags.
Scope
Plugin
tls-compliance. Connects to the endpoint and probes:as failing).
Parameters:
--always-ok,--insecure,--timeout--url,--sni-hostname--profile modern|intermediate|old|custom(Mozilla SSL profiles;default
intermediate)--min-tls 1.2|1.3(overrides profile)--cipher-allow(append regex; case-insensitive),--cipher-deny(append regex)--require-ocsp-stapling--lengthy,--brief--warning,--critical: Nagios ranges over the numeric grade.Output:
--lengthy: tables for protocols, cipher suites, key exchange,vulnerability flags.
Perfdata: numeric
grade,tls_handshake_time, plus boolean flags perchecked dimension (
ocsp_stapling,forward_secrecy,tls13, ...).Dependencies
Linuxfabrik/lib#137(timing telemetry,peer_cert_der).cryptography(already transitive).Reference
check_curl.cfor the TLS-related parameter shape (-S/--ssl,--sni,--ca-cert) we stay compatible with where it makes sense.exampleplugin for structure.Classification
New plugin. Enhancement.