Cleanup

mxsasha · mxsasha · commit 3b59db8ef48f · 2025-07-29T13:01:38.000+02:00
diff --git a/checks/tasks/tls/evaluation.py b/checks/tasks/tls/evaluation.py
@@ -111,7 +111,7 @@ def from_ciphers_accepted(cls, ciphers_accepted: List[CipherSuiteAcceptedByServe
         phase_out = set()
         bad = set()
 
-        # Evaluate according to NCSC table 4 and table 10
+        # Evaluate according to NCSC 3.3.2.1 table 3 and 3.3.3.1 table 7
         for suite in _unique_unhashable(ciphers_accepted):
             key = suite.ephemeral_key
             if not key:
@@ -124,7 +124,6 @@ def from_ciphers_accepted(cls, ciphers_accepted: List[CipherSuiteAcceptedByServe
                     bad.add(f"ECDH-{key.curve_name}")
 
             if isinstance(key, DhEphemeralKeyInfo):
-                # NCSC 3.3.3.1
                 if key.generator == FFDHE_GENERATOR:
                     if key.prime in FFDHE_PHASE_OUT_PRIMES:
                         phase_out.add(f"DH-{key.size}")
@@ -340,7 +339,6 @@ class TLSCipherOrderEvaluation:
     If a violation is found, the violation attribute is a two
     item list with first the cipher preferred by the server,
     second the cipher we expected to be preferred above that.
-    NCSC B2-5
     """
 
     violation: List[str]
diff --git a/checks/tasks/tls/scans.py b/checks/tasks/tls/scans.py
@@ -387,7 +387,7 @@ def cert_checks(hostname: str, mode: ChecksMode, af_ip_pair=None, *args, **kwarg
     trusted_score = trusted_score_good if cert_deployment.verified_certificate_chain else trusted_score_bad
     pubkey_score, pubkey_bad, pubkey_phase_out = check_pubkey(cert_deployment.received_certificate_chain, mode)
 
-    # NCSC guideline B3-2
+    # NCSC 3.3.2 / 3.3.5
     sigalg_bad = {}
     sigalg_score = scoring.WEB_TLS_SIGNATURE_GOOD
     for cert in cert_deployment.received_certificate_chain:
@@ -972,7 +972,6 @@ def test_cipher_order(
     by each good, and then expects the server to choose the good cipher.
     That assures us that the server prefers each good cipher over any lower cipher.
     This is tested at all levels that the server supported.
-    NCSC B2-5.
     """
     cipher_order_violation = []
     if (
diff --git a/checks/tasks/tls/tls_constants.py b/checks/tasks/tls/tls_constants.py
@@ -270,4 +270,5 @@
     "D68C8BB7 C5C6424C FFFFFFFF FFFFFFFF"
 )
 FFDHE_GENERATOR = bytearray(b"\x02")  # Matched to the type in nassl's DhEphemeralKeyInfo
+# NCSC 3.3.3.1
 FFDHE_PHASE_OUT_PRIMES = [FFDHE8192_PRIME, FFDHE6144_PRIME, FFDHE4096_PRIME, FFDHE3072_PRIME]

Original file line number	Diff line number	Diff line change
`@@ -270,4 +270,5 @@`
`270`	`270`	`"D68C8BB7 C5C6424C FFFFFFFF FFFFFFFF"`
`271`	`271`	`)`
`272`	`272`	`FFDHE_GENERATOR = bytearray(b"\x02") # Matched to the type in nassl's DhEphemeralKeyInfo`
	`273`	`+# NCSC 3.3.3.1`
`273`	`274`	`FFDHE_PHASE_OUT_PRIMES = [FFDHE8192_PRIME, FFDHE6144_PRIME, FFDHE4096_PRIME, FFDHE3072_PRIME]`