Encryption strength verified via scan tools

Why it matters

CWE-326 (inadequate encryption strength) can exist in a system that is technically configured for AES-256 but is serving weak cipher suites due to misconfiguration — a condition only detectable by external TLS scanning, not by reading configuration files. PCI-DSS 4.0 Req-4.2 requires that the actual transmitted encryption meet the standard, not just that the configuration claims to. NIST SC-13 requires approved cryptographic module use. A TLS scan with grade C or lower indicates negotiation of weak cipher suites (RC4, 3DES, export ciphers) that can be exploited by BEAST, POODLE, or SWEET32 attacks against financial transaction traffic. Self-reported TLS configuration is not a substitute for external verification.

Remediation

Run an SSLLabs scan against your production domain and document the result in docs/tls-scan.md:

# Command-line TLS check (no signup required):
curl -s "https://api.ssllabs.com/api/v3/analyze?host=yourdomain.com&publish=off&all=done" \
  | jq '{grade: .endpoints[0].grade, protocol: .endpoints[0].details.protocols}'

# Or via testssl.sh (offline tool):
docker run --rm drwetter/testssl.sh yourdomain.com:443

For an A grade, your nginx or cloud load balancer needs:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
ssl_prefer_server_ciphers on;
ssl_session_tickets off;

Schedule a recurring scan (e.g., a quarterly CI job using testssl.sh) and record the grade in docs/tls-scan.md with the date — this satisfies the 180-day verification window.

Detection

ID: finserv-encryption.pci-alignment.encryption-scan-verified
Severity: low
What to look for: Count all SSL/TLS scan reports or records. Quote the actual scan tool used and the grade received. Verify at least 1 scan was conducted within the past 180 days with a grade of A or B. A grade below B does not count as pass.
Pass criteria: At least 1 TLS scan report exists from within the past 180 days showing Grade A or B (SSLLabs or equivalent). Report the count even on pass (e.g., "1 SSLLabs scan from 2026-02-01, Grade A, TLS 1.3 with strong cipher suites").
Fail criteria: No scan evidence (0 reports), or scan results showing Grade C or lower, or last scan more than 180 days ago.
Skip (N/A) when: Project is in early development and not yet publicly accessible — cite the actual deployment status found.
Detail on fail: "0 SSL/TLS scan reports found — encryption strength not verified" or "SSLLabs grade D — 3 of 5 cipher suites are weak"

Remediation:

Run an SSL/TLS scan:

# Using SSLLabs (online): https://www.ssllabs.com/ssltest/
# Or command-line tools:
openssl s_client -connect yoursite.com:443 -tls1_3
nmap --script ssl-enum-ciphers yoursite.com

Strengthen cipher suites:

# nginx config
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'TLS13:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;

Why it matters

Remediation

Run an SSLLabs scan against your production domain and document the result in docs/tls-scan.md:

# Command-line TLS check (no signup required):
curl -s "https://api.ssllabs.com/api/v3/analyze?host=yourdomain.com&publish=off&all=done" \
  | jq '{grade: .endpoints[0].grade, protocol: .endpoints[0].details.protocols}'

# Or via testssl.sh (offline tool):
docker run --rm drwetter/testssl.sh yourdomain.com:443

For an A grade, your nginx or cloud load balancer needs:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
ssl_prefer_server_ciphers on;
ssl_session_tickets off;

Schedule a recurring scan (e.g., a quarterly CI job using testssl.sh) and record the grade in docs/tls-scan.md with the date — this satisfies the 180-day verification window.

Detection

ID: finserv-encryption.pci-alignment.encryption-scan-verified
Severity: low
What to look for: Count all SSL/TLS scan reports or records. Quote the actual scan tool used and the grade received. Verify at least 1 scan was conducted within the past 180 days with a grade of A or B. A grade below B does not count as pass.
Pass criteria: At least 1 TLS scan report exists from within the past 180 days showing Grade A or B (SSLLabs or equivalent). Report the count even on pass (e.g., "1 SSLLabs scan from 2026-02-01, Grade A, TLS 1.3 with strong cipher suites").
Fail criteria: No scan evidence (0 reports), or scan results showing Grade C or lower, or last scan more than 180 days ago.
Skip (N/A) when: Project is in early development and not yet publicly accessible — cite the actual deployment status found.
Detail on fail: "0 SSL/TLS scan reports found — encryption strength not verified" or "SSLLabs grade D — 3 of 5 cipher suites are weak"

Remediation:

Run an SSL/TLS scan:

# Using SSLLabs (online): https://www.ssllabs.com/ssltest/
# Or command-line tools:
openssl s_client -connect yoursite.com:443 -tls1_3
nmap --script ssl-enum-ciphers yoursite.com

Strengthen cipher suites:

# nginx config
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'TLS13:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;

Encryption strength verified via scan tools

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Encryption strength verified via scan tools

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History