From 49374a08bd84f43e103f384248f5e954d7855d46 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= <michee.lengronne@coppint.com>
Date: Fri, 13 Mar 2020 10:50:20 +0100
Subject: [PATCH 1/2] Support TLS1.3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Support for TLS1.3 added

Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com>
---
 controls/ssl_test.rb | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/controls/ssl_test.rb b/controls/ssl_test.rb
index eec10e6..f528658 100644
--- a/controls/ssl_test.rb
+++ b/controls/ssl_test.rb
@@ -84,7 +84,7 @@
 
 #######################################################
 # Protocol Tests                                      #
-# Valid protocols are: tls1.2                         #
+# Valid protocols are: tls1.2, tls1.3                 #
 # Invalid protocols are : ssl2, ssl3, tls1.0, tls1.1  #
 #######################################################
 control 'ssl2' do
@@ -162,6 +162,21 @@
   end
 end
 
+control 'tls1.3' do
+  title 'Enable TLS 1.3 on exposed ports.'
+  impact 0.5
+  only_if { sslports.length > 0 }
+
+  sslports.each do |sslport|
+    # create a description
+    proc_desc = "on node == #{target_hostname} running #{sslport[:socket].process.inspect} (#{sslport[:socket].pid})"
+    describe ssl(sslport).protocols('tls1.3') do
+      it(proc_desc) { should be_enabled }
+      it { should be_enabled }
+    end
+  end
+end
+
 #######################################################
 # Key Exchange (Kx) Tests                             #
 # Valid Kx(s) are: ECDHE                              #

From 2acc4473d3f0c8c8d366120e2bb5727141111b3f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mich=C3=A9e=20Lengronne?= <michee.lengronne@coppint.com>
Date: Fri, 13 Mar 2020 11:34:31 +0100
Subject: [PATCH 2/2] attribute to choose TLS version
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com>
---
 controls/ssl_test.rb | 27 +++++++++------------------
 1 file changed, 9 insertions(+), 18 deletions(-)

diff --git a/controls/ssl_test.rb b/controls/ssl_test.rb
index f528658..6ae4dc1 100644
--- a/controls/ssl_test.rb
+++ b/controls/ssl_test.rb
@@ -46,6 +46,12 @@
   description: 'The profile should not check if SSL is enabled on every port and assume it is'
 )
 
+tls_version = attribute(
+  'tls_version',
+  value: 'tls1.2',
+  description: 'The current TLS version to check (currently tls1.2 and tls1.3)'
+)
+
 # Find all TCP ports on the system, IPv4 and IPv6
 # Eliminate duplicate ports for cleaner reporting and faster scans and sort the
 # array by port number.
@@ -147,30 +153,15 @@
   end
 end
 
-control 'tls1.2' do
-  title 'Enable TLS 1.2 on exposed ports.'
-  impact 0.5
-  only_if { sslports.length > 0 }
-
-  sslports.each do |sslport|
-    # create a description
-    proc_desc = "on node == #{target_hostname} running #{sslport[:socket].process.inspect} (#{sslport[:socket].pid})"
-    describe ssl(sslport).protocols('tls1.2') do
-      it(proc_desc) { should be_enabled }
-      it { should be_enabled }
-    end
-  end
-end
-
-control 'tls1.3' do
-  title 'Enable TLS 1.3 on exposed ports.'
+control 'tls1.2-1.3' do
+  title 'Enable TLS 1.2 or TLS 1.3 on exposed ports.'
   impact 0.5
   only_if { sslports.length > 0 }
 
   sslports.each do |sslport|
     # create a description
     proc_desc = "on node == #{target_hostname} running #{sslport[:socket].process.inspect} (#{sslport[:socket].pid})"
-    describe ssl(sslport).protocols('tls1.3') do
+    describe ssl(sslport).protocols(tls_version) do
       it(proc_desc) { should be_enabled }
       it { should be_enabled }
     end