From 1945f33bc766e28a783b48edf9209b8c76f394bb Mon Sep 17 00:00:00 2001 From: sydia1103 <69560065+sydia1103@users.noreply.github.com> Date: Fri, 18 Feb 2022 17:56:30 -0600 Subject: [PATCH 1/2] Added TLS 1.0 and 1.1 Warnings TLS 1.0 and 1.1 are deprecated. This adds warnings for these protocols. --- Src/Report.cs | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Src/Report.cs b/Src/Report.cs index 24dadad..171fac8 100644 --- a/Src/Report.cs +++ b/Src/Report.cs @@ -471,6 +471,12 @@ internal void Analyse() } if (suites.ContainsKey(M.SSLv30)) { warnings["PV003"] = "Server supports SSL 3.0."; + } + if (suites.ContainsKey(M.TLSv10)) { + warnings["PV006"] = "Server supports TLS 1.0."; + } + if (suites.ContainsKey(M.TLSv11)) { + warnings["PV007"] = "Server supports TLS 1.1."; } if (unknownSKE) { warnings["SK001"] = "Some Server Key Exchange messages" From 85ff56ca8d0ee3636f754156c0d27d24da6acc1c Mon Sep 17 00:00:00 2001 From: sydia1103 <69560065+sydia1103@users.noreply.github.com> Date: Fri, 18 Feb 2022 18:10:10 -0600 Subject: [PATCH 2/2] Update README.md --- README.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/README.md b/README.md index c733786..e01d8c6 100644 --- a/README.md +++ b/README.md @@ -586,6 +586,21 @@ of some kind. support SSL 2.0, it merely claims to do so. Some other SSL scanning tools wrongly indicate this occurrence as "supports SSL 2.0", which is why this warning is included. + + - **PV006** + + TLS 1.0 is deprecated as of March 2021. It has known flaws. + Recent clients and servers support TLS 1.2 and later and + use a fallback mechanism to prevent attackers from forcing your + brower to fallback to TLS 1.0. It is recomended to disable TLS 1.0 support. + + - **PV007** + +TLS 1.1 is deprecated as of March 2021. It has no known flaws +but we don't want to take any risks. Recent clients and servers +support TLS 1.2 and later and use a fallback mechanism to +prevent attackers from forcing your browser back to fall back to TLS 1.1. +It is recommended to disable TLS 1.1 spport. - **RN001**: Server does not support secure renegotiation.