TLS Configuration Checks
Probes the live socket so a stale config file cannot hide a deprecated TLS handshake from the assessor.
The problem
Configuration files lie. A server gets restarted with a stale config, a load balancer terminates TLS upstream of the application, or a deployment script appends a cipher line nobody remembers writing. The result is a contractor whose nginx.conf says TLS 1.2-only while port 443 happily completes a TLS 1.0 handshake against the assessor's scanner.
On Windows, the SChannel registry has its own quirks. The absence of an Enabled key is not the same as Enabled=0; older Windows builds implicitly allow deprecated protocols when the key is missing entirely. SSH adds another surface area, since defaults across distributions still ship with chacha20-poly1305 and hmac-sha1-96, neither of which is FIPS-approved and both of which appear on remote-access hosts handling CUI.
Each of these is a transmission confidentiality finding under 3.13.8 and a FIPS finding under 3.13.11, both 5-point controls. Assessors do not take a contractor's word that TLS is configured. They probe, the same way this agent does, and they bill for it.
What CMMC requires
NIST SP 800-171 Rev 2 controls this agent verifies. Primary mappings drive the gap assessment; secondary mappings provide supporting evidence in the SSP.
Verifies the cryptographic mechanisms protecting CUI in transit are actually enforced,both via configuration parsing and live TCP probes that bypass stated policy.
Read in NIST 800-171 r2↗Confirms the cipher suites available for negotiation are restricted to the FIPS-approved subset, not just whatever the underlying library supports.
Read in NIST 800-171 r2↗Detects weak key exchange mechanisms,anonymous DH, export-grade RSA, sub-2048-bit groups,that compromise key establishment regardless of the symmetric cipher.
Read in NIST 800-171 r2↗Audits SSH cipher and MAC configuration as the cryptographic protection mechanism for remote access sessions.
Read in NIST 800-171 r2↗How it works
Per-platform detection logic. The agent runs unprivileged where possible and falls back gracefully when raw access is unavailable.
Parses sshd_config for Ciphers and MACs directives, flagging non-FIPS suites including 3des-cbc, arcfour, blowfish-cbc, chacha20-poly1305, hmac-md5, and hmac-sha1-96. Parses nginx ssl_protocols and ssl_ciphers, Apache SSLProtocol and SSLCipherSuite. Sends raw TLS 1.0 and TLS 1.1 ClientHello frames to localhost:443, 8443, 8080, 3000, and 4443 with 200 to 500ms timeouts so servers accepting deprecated handshakes regardless of config get caught immediately.
Walks the SChannel registry subtree under HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols and flags both explicit Enabled=1 entries and missing keys for TLS 1.0/1.1 and SSL 2.0/3.0. Live TLS probes run against the same fixed port set as Linux to catch implementation drift, and each finding ships with the negotiated protocol version attached so remediation evidence writes itself.
Not applicable on this platform.
What it finds
Concrete findings written to the assessor's mental model,not abstract categories. Severity drives POA&M priority and SPRS deduction.
- CRITICALSSL 2.0 or 3.0 accepting connectionsLive probe completed a handshake on a deprecated protocol that has been broken for a decade. Direct 3.13.8 violation.
- HIGHTLS 1.0 or 1.1 accepting connectionsServer completed a handshake on a TLS version that no FIPS-validated configuration permits. Configuration says one thing, the live socket says another.
- HIGHNon-FIPS SSH ciphers configuredsshd_config lists chacha20-poly1305, 3des-cbc, or hmac-sha1-96,accepted by SSH but disallowed under FIPS for any remote access to CUI systems.
- HIGHnginx ssl_ciphers contains RC4 or NULLCipher string includes RC4, NULL, EXPORT, ADH, or AECDH. Any client that negotiates these reaches the server with no real cryptographic protection.
- LOWSChannel protocol key absentWindows SChannel has no Enabled value set for TLS 1.0,the protocol is implicitly available on older builds even when FipsAlgorithmPolicy is on.
TLS misconfiguration routinely hits 3.13.8 and 3.13.11 simultaneously, both 5-point controls. A live probe accepting TLS 1.0 maps to 3.13.8 directly, a deduction of −5 if no compensating control exists. SSH cipher drift is the most common single source of a −5 on 3.1.13 across the contractors we have surveyed. The assessor runs their own TLS scans during testing as a matter of course; running this agent on a cadence means the contractor catches and remediates regressions before the C3PAO ever sees them, not after.
How it hooks into the platform
Once Tolerance is pointed at the environment, the platform identifies hosts that terminate TLS and schedules config parses plus live TCP probes automatically. You choose whether handshake captures, parsed configs, and SChannel reads stay on-prem or sync up. Each finding maps to its primary 800-171 control with the probe result attached as evidence. SSP cipher-suite tables populate from the parsed configs; any HIGH or CRITICAL drafts a POA&M entry with the exact registry path, nginx directive, or sshd line. Re-probes on a cadence catch post-deployment regressions within hours.
How we know it's working
Acceptance criteria from the engineering spec,what the agent must do to ship.
- Sweeps five ports per host for live deprecated handshakes in under 2 seconds
- Skips cleanly when no listener is present, no false positives
- Reads config files line-by-line for deterministic parser behavior
- Treats missing SChannel keys as implicitly allowed protocols
- Reports server IP, port, and negotiated protocol on every probe
Run this agent against your environment.
Book a 30-minute scoping call. We'll deploy the agent on your systems and walk through the findings together.