canada-ca · lcampbell2 · Jul 3, 2024 · Jul 3, 2024 · Jul 3, 2024 · Jul 3, 2024
diff --git a/frontend/src/guidance/WebGuidance.js b/frontend/src/guidance/WebGuidance.js
@@ -5,8 +5,12 @@ import {
   AccordionIcon,
   AccordionItem,
   AccordionPanel,
+  AlertDescription,
+  AlertTitle,
   Badge,
+  Box,
   Flex,
+  Link,
   Select,
   Text,
 } from '@chakra-ui/react'
@@ -16,6 +20,7 @@ import { WebTLSResults } from './WebTLSResults'
 import { WebConnectionResults } from './WebConnectionResults'
 import { GuidanceSummaryCategories } from './GuidanceSummaryCategories'
 import { string } from 'prop-types'
+import { NotificationBanner } from '../app/NotificationBanner'
 
 export function WebGuidance({ webResults, timestamp }) {
   const [selectedEndpoint, setSelectedEndpoint] = useState(webResults[0].ipAddress)
@@ -125,6 +130,26 @@ export function WebGuidance({ webResults, timestamp }) {
 
   return (
     <>
+      <NotificationBanner status="info" bannerId="updated-tls-guidance" hideable>
+        <Box>
+          <AlertTitle>
+            <Trans>New Recommended TLS Ciphers</Trans>
+          </AlertTitle>
+          <AlertDescription>
+            <Trans>
+              CCCS has updated their{' '}
+              <Link
+                isExternal
+                href="https://www.cyber.gc.ca/en/guidance/guidance-securely-configuring-network-protocols-itsp40062#tab2"
+                color="blue.500"
+              >
+                list of recommended TLS cipher suites and elliptic curves
+              </Link>
+              . Please review these findings and update your configurations accordingly.
+            </Trans>
+          </AlertDescription>
+        </Box>
+      </NotificationBanner>
       <Accordion allowMultiple defaultIndex={[0, 1, 2]}>
         <Text fontsize="lg">
           <b>Last Scanned:</b> {formatTimestamp(timestamp)}

diff --git a/frontend/src/locales/en.po b/frontend/src/locales/en.po
@@ -13,10 +13,6 @@ msgstr ""
 "Language-Team: \n"
 "Plural-Forms: \n"
 
-#: src/guidance/EmailGuidance.js:323
-#~ msgid "None"
-#~ msgstr "None"
-
 #: src/termsConditions/TermsConditionsPage.js:170
 msgid ", and"
 msgstr ", and"
@@ -482,7 +478,7 @@ msgstr "Blank fields will not be included when updating the organization."
 #: src/admin/AdminDomains.js:171
 #: src/domains/DomainCard.js:138
 #: src/domains/DomainsPage.js:93
-#: src/guidance/WebGuidance.js:84
+#: src/guidance/WebGuidance.js:89
 #: src/organizationDetails/OrganizationDomains.js:97
 msgid "Blocked"
 msgstr "Blocked"
@@ -503,6 +499,10 @@ msgstr "By default our scanners check domains ending in “.gc.ca” and “.can
 #~ msgid "By default our scanners check domains ending in “.gc.ca” and “.canada.ca”. If your domain is outside that set, you need to contact us to let us know. Send an email to TBS Cyber Security to confirm your ownership of that domain."
 #~ msgstr "By default our scanners check domains ending in “.gc.ca” and “.canada.ca”. If your domain is outside that set, you need to contact us to let us know. Send an email to TBS Cyber Security to confirm your ownership of that domain."
 
+#: src/guidance/WebGuidance.js:139
+msgid "CCCS has updated their <0>list of recommended TLS cipher suites and elliptic curves</0>. Please review these findings and update your configurations accordingly."
+msgstr "CCCS has updated their <0>list of recommended TLS cipher suites and elliptic curves</0>. Please review these findings and update your configurations accordingly."
+
 #: src/guidance/ScanDetails.js:102
 #~ msgid "CCS Injection Vulnerability:"
 #~ msgstr "CCS Injection Vulnerability:"
@@ -1281,11 +1281,11 @@ msgstr "Email successfully sent"
 msgid "Email:"
 msgstr "Email:"
 
-#: src/guidance/WebGuidance.js:54
+#: src/guidance/WebGuidance.js:59
 msgid "Endpoint Summary"
 msgstr "Endpoint Summary"
 
-#: src/guidance/WebGuidance.js:98
+#: src/guidance/WebGuidance.js:103
 msgid "Endpoint:"
 msgstr "Endpoint:"
 
@@ -2410,6 +2410,10 @@ msgstr "New Password:"
 msgid "New Phone Number:"
 msgstr "New Phone Number:"
 
+#: src/guidance/WebGuidance.js:136
+msgid "New Recommended TLS Ciphers"
+msgstr "New Recommended TLS Ciphers"
+
 #: src/admin/AuditLogTable.js:164
 msgid "New Value:"
 msgstr "New Value:"
@@ -3989,7 +3993,7 @@ msgstr "This field cannot be empty"
 msgid "This is a new service, we are constantly improving."
 msgstr "This is a new service, we are constantly improving."
 
-#: src/guidance/WebGuidance.js:144
+#: src/guidance/WebGuidance.js:169
 msgid "This service is not web-hosting and does not require compliance with the Web Sites and Services Management Configuration Requirements."
 msgstr "This service is not web-hosting and does not require compliance with the Web Sites and Services Management Configuration Requirements."
 

diff --git a/frontend/src/locales/fr.po b/frontend/src/locales/fr.po
@@ -13,10 +13,6 @@ msgstr ""
 "Plural-Forms: \n"
 "Report-Msgid-Bugs-To: \n"
 
-#: src/guidance/EmailGuidance.js:323
-msgid "None"
-msgstr "Aucun"
-
 #: src/termsConditions/TermsConditionsPage.js:170
 msgid ", and"
 msgstr ", et"
@@ -478,7 +474,7 @@ msgstr "Les champs vides ne seront pas pris en compte lors de la mise à jour de
 #: src/admin/AdminDomains.js:171
 #: src/domains/DomainCard.js:138
 #: src/domains/DomainsPage.js:93
-#: src/guidance/WebGuidance.js:84
+#: src/guidance/WebGuidance.js:89
 #: src/organizationDetails/OrganizationDomains.js:97
 msgid "Blocked"
 msgstr "Bloqué"
@@ -499,6 +495,10 @@ msgstr "Par défaut, nos scanners vérifient les domaines se terminant par \".gc
 #~ msgid "By default our scanners check domains ending in “.gc.ca” and “.canada.ca”. If your domain is outside that set, you need to contact us to let us know. Send an email to TBS Cyber Security to confirm your ownership of that domain."
 #~ msgstr "Par défaut, nos analyseurs vérifient les domaines se terminant par « .gc.ca » et « .canada.ca ». Si votre domaine se termine autrement, vous devez communiquer avec nous pour nous en aviser. Envoyez un courriel à l’équipe responsable de la cybersécurité du SCT pour confirmer que ce domaine vous appartient. "
 
+#: src/guidance/WebGuidance.js:139
+msgid "CCCS has updated their <0>list of recommended TLS cipher suites and elliptic curves</0>. Please review these findings and update your configurations accordingly."
+msgstr "CCC a mis à jour sa <0>liste de suites de chiffrement TLS et de courbes elliptiques recommandées</0>. Veuillez prendre connaissance de ces résultats et mettre à jour vos configurations en conséquence."
+
 #: src/guidance/ScanDetails.js:102
 #~ msgid "CCS Injection Vulnerability:"
 #~ msgstr "Vulnérabilité d'injection de CCS:"
@@ -1261,11 +1261,11 @@ msgstr "Courriel envoyé avec succès"
 msgid "Email:"
 msgstr "Courrier électronique:"
 
-#: src/guidance/WebGuidance.js:54
+#: src/guidance/WebGuidance.js:59
 msgid "Endpoint Summary"
 msgstr "Résumé du point d'aboutissement"
 
-#: src/guidance/WebGuidance.js:98
+#: src/guidance/WebGuidance.js:103
 msgid "Endpoint:"
 msgstr "Point d'aboutissement :"
 
@@ -2370,6 +2370,10 @@ msgstr "Nouveau mot de passe:"
 msgid "New Phone Number:"
 msgstr "Nouveau numéro de téléphone:"
 
+#: src/guidance/WebGuidance.js:136
+msgid "New Recommended TLS Ciphers"
+msgstr "Nouveaux codes TLS recommandés"
+
 #: src/admin/AuditLogTable.js:164
 msgid "New Value:"
 msgstr "Nouvelle valeur :"
@@ -2521,6 +2525,7 @@ msgstr "Aucune valeur n'a été fournie lors de la tentative de mise à jour des
 msgid "Non-compliant"
 msgstr "Non conforme"
 
+#: src/guidance/EmailGuidance.js:323
 #: src/user/EditableUserTFAMethod.js:164
 msgid "None"
 msgstr "Aucun"
@@ -3942,7 +3947,7 @@ msgstr "Ce champ ne peut pas être vide"
 msgid "This is a new service, we are constantly improving."
 msgstr "Il s'agit d'un nouveau service, que nous améliorons constamment."
 
-#: src/guidance/WebGuidance.js:144
+#: src/guidance/WebGuidance.js:169
 msgid "This service is not web-hosting and does not require compliance with the Web Sites and Services Management Configuration Requirements."
 msgstr "Ce service n'est pas un service d'hébergement Web et ne nécessite pas la conformité aux exigences de configuration de la gestion des sites et services Web."
 

diff --git a/scanners/web-processor/web_processor/tls-guidance.json b/scanners/web-processor/web_processor/tls-guidance.json
@@ -10,22 +10,22 @@
         "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
       ],
       "sufficient": [
-        "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
-        "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
-        "TLS_DHE_RSA_WITH_AES_256_CCM",
-        "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
-        "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
-        "TLS_DHE_RSA_WITH_AES_128_CCM",
         "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8",
         "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8",
         "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
         "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
-        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
-        "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
-        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"
+        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
       ],
       "phase_out": [
+        "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+        "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
+        "TLS_DHE_RSA_WITH_AES_256_CCM",
+        "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+        "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
+        "TLS_DHE_RSA_WITH_AES_128_CCM",
+        "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
+        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
         "TLS_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_RSA_WITH_AES_256_CBC_SHA256",
@@ -64,18 +64,18 @@
       "ffdhe3072",
       "ffdhe4096",
       "ffdhe6144",
-      "ffdhe8192",
-      "sect283k1",
-      "sect283r1",
-      "sect409k1",
-      "sect409r1",
-      "sect571k1",
-      "sect571r1"
+      "ffdhe8192"
     ],
     "phase_out": [
       "secp224r1",
       "sect233r1",
       "sect233k1",
+      "sect283k1",
+      "sect283r1",
+      "sect409k1",
+      "sect409r1",
+      "sect571k1",
+      "sect571r1",
       "ffdhe2048"
     ]
   },
@@ -84,6 +84,8 @@
       "ecdsa_secp256r1_sha256",
       "ecdsa_secp384r1_sha384",
       "ecdsa_secp521r1_sha512",
+      "ed25519",
+      "ed448",
       "rsa_pss_pss_sha256",
       "rsa_pss_pss_sha384",
       "rsa_pss_pss_sha512",
@@ -114,12 +116,16 @@
         10,
         11,
         13,
+        16,
         17,
-        18,
         22,
         23,
         50,
+        52,
         65281
+      ],
+      "phase_out": [
+        18
       ]
     },
     "1.3": {
@@ -128,14 +134,18 @@
         5,
         10,
         13,
-        18,
+        16,
         41,
         43,
         44,
         45,
         50,
-        51
+        51,
+        52
+      ],
+      "phase_out": [
+        18
       ]
     }
   }
-}
+}