No possibility for conditional recommendations in analyzer config profiles

[Bluesky787]

While writing the BSI recommendation profile for TLS analyzer, I noticed that it would be useful to add conditional recommendations. As an example, BSI still recommends to use AES-CBC ciphers, as long as TLS extension "Encrypt-then-MAC" is used.

When following BSI recommendations, Recon should mark missing "Encrypt-then-MAC" extension only when using TLS 1.2 and CBC-ciphers. The other way around would be Recon marking the use of AES-CBC ciphers only when "Encrypt-then-MAC" extension is missing.

A possible solution could be to add conditions to enumerations, e.g.

cipher_suites = {
  Default = [
  "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
  ],
  extension:encrypt_then_mac = [
  "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
  "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384"
  ]
}

[4elta]

thank you for this suggestion.

i have implemented a version very similar to your suggestion; see commit 8024044089b98d92d49b4c3e8b1f30b0a50c5695.

please let me know what you think of it.

[Bluesky787]

This is some outstanding service. I'm happy to implement this in upcoming recommendations.