Update sslyze branch to NCSC 2025

[mxsasha]

• Various min key length constants, do they still apply?
• RSA length requirements (3.3.2.1)
• RSA padding requirements (3.3.2.1)
• Updated FFDHE requirements (3.3.3.1)
• Verify we see TLS compression (3.4.1)
• Add new checks to check setup (currently only implemented up to return dict)
• Extended master secret - check for support (we can not check for enforcement)
• - Add test for resumption (3.4.3) no new test, this is covered by TLS version check
• kex_hash update "you must at least have SHA2" -> "you must not have SHA1/MD5"
• Update renegotiation settings: we only have good/bad for on/off, should we add sufficient for limited secure? Also ensure unlimited secure reneg is phase out, insecure is insufficient (3.4.2) -> Fix this inside nassl to return the number of attempts. Gelimiteerd=maximum 10 permitted.
• Ensure cipher order is up to date
• Check for any references to old standards in code
• Fix formatting for bad curves
• Clarify all new/changed labels
• Extend openapi.yaml if needed
• Document API changes for release notes
• Fix batch test
• EdDSA auth detected as sufficient? (3.3.2) -> EdDSA can only be done with supported curves, so this test can not fail. We do implement it -> add a comment in the code about this
• Which certs do we check for signature hash algorithm, and key size/curve. Current: hash checked for all non-root certificates sent, key size/curve checked for all certificates sent. Discussion 9-9: check all certificates sent by the server, except those that exist in the trust store.

Interesting data point: the old SHA2 key exchange check had a bug in the sslyze branch, which we did not notice in comparisons probably because it never fails.

Weird results

• Testssl claims intermediair.nl offers RSA+SHA224 (implied PKCS) and RSA+SHA1 on TLS 1.2. But our test shows OK, so we are not detecting these or not interpreting correctly.

Discuss:

• Review our stance on EMS

To consider

• display 'banner' for old tests at TLS test (category, or preferably at each sub test detail level): an explanation that the test verdict (text) and content are no longer in sync / even correct? The new explanation for the new rules are shown: advise retest.
• Run comparison on some HoF subset, to get an idea how many people lose their 100%

Content

See content PR

[mxsasha]

Regarding SHA2 key exchange: TLS 1.2 still supports signature algorithms here that do not meet the new requirements. So, we need to keep the check, but modify it from "you must support SHA2" to "you must not support any SHA1 or MD5". In TLS 1.3, only SHA2 is supported for this purpose.