tls-attacker · ic0ns · Jun 27, 2025
diff --git a/.../java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/CipherSuiteGuidelineCheck.java b/.../java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/CipherSuiteGuidelineCheck.java
@@ -64,7 +64,10 @@ public CipherSuiteGuidelineCheck(
     public GuidelineCheckResult evaluate(ServerReport report) {
         List<CipherSuite> nonRecommended = this.nonRecommendedSuites(report);
         return new CipherSuiteGuidelineCheckResult(
-                getName(), GuidelineAdherence.of(nonRecommended.isEmpty()), nonRecommended);
+                getName(),
+                GuidelineAdherence.of(nonRecommended.isEmpty()),
+                nonRecommended,
+                recommendedCipherSuites);
     }
 
     @Override

diff --git a/...va/de/rub/nds/tlsscanner/serverscanner/guideline/checks/HashAlgorithmsGuidelineCheck.java b/...va/de/rub/nds/tlsscanner/serverscanner/guideline/checks/HashAlgorithmsGuidelineCheck.java
@@ -64,10 +64,16 @@ public GuidelineCheckResult evaluate(ServerReport report) {
                 }
             }
             return new HashAlgorithmsGuidelineCheckResult(
-                    getName(), GuidelineAdherence.of(nonRecommended.isEmpty()), nonRecommended);
+                    getName(),
+                    GuidelineAdherence.of(nonRecommended.isEmpty()),
+                    nonRecommended,
+                    recommendedAlgorithms);
         } else {
             return new HashAlgorithmsGuidelineCheckResult(
-                    getName(), GuidelineAdherence.CHECK_FAILED, Collections.emptySet());
+                    getName(),
+                    GuidelineAdherence.CHECK_FAILED,
+                    Collections.emptySet(),
+                    recommendedAlgorithms);
         }
     }
 

diff --git a/.../java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/NamedGroupsGuidelineCheck.java b/.../java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/NamedGroupsGuidelineCheck.java
@@ -103,7 +103,7 @@ public GuidelineCheckResult evaluate(ServerReport report) {
             return new NamedGroupsGuidelineCheckResult(getName(), GuidelineAdherence.ADHERED);
         } else {
             return new NamedGroupsGuidelineCheckResult(
-                    getName(), GuidelineAdherence.VIOLATED, nonRecommended);
+                    getName(), GuidelineAdherence.VIOLATED, nonRecommended, recommendedGroups);
         }
     }
 

diff --git a/.../rub/nds/tlsscanner/serverscanner/guideline/checks/SignatureAlgorithmsGuidelineCheck.java b/.../rub/nds/tlsscanner/serverscanner/guideline/checks/SignatureAlgorithmsGuidelineCheck.java
@@ -63,10 +63,13 @@ public GuidelineCheckResult evaluate(ServerReport report) {
                 }
             }
             return new SignatureAlgorithmsGuidelineCheckResult(
-                    getName(), GuidelineAdherence.of(notRecommended.isEmpty()), notRecommended);
+                    getName(),
+                    GuidelineAdherence.of(notRecommended.isEmpty()),
+                    notRecommended,
+                    recommendedAlgorithms);
         } else {
             return new SignatureAlgorithmsGuidelineCheckResult(
-                    getName(), GuidelineAdherence.CHECK_FAILED, null);
+                    getName(), GuidelineAdherence.CHECK_FAILED, null, recommendedAlgorithms);
         }
     }
 

diff --git a/...r/serverscanner/guideline/checks/SignatureAndHashAlgorithmsCertificateGuidelineCheck.java b/...r/serverscanner/guideline/checks/SignatureAndHashAlgorithmsCertificateGuidelineCheck.java
@@ -60,7 +60,10 @@ public GuidelineCheckResult evaluate(ServerReport report) {
             }
         }
         return new X509SignatureAlgorithmGuidelineCheckResult(
-                getName(), GuidelineAdherence.of(nonRecommended.isEmpty()), nonRecommended);
+                getName(),
+                GuidelineAdherence.of(nonRecommended.isEmpty()),
+                nonRecommended,
+                recommendedAlgorithms);
     }
 
     @Override

diff --git a/...s/tlsscanner/serverscanner/guideline/checks/SignatureAndHashAlgorithmsGuidelineCheck.java b/...s/tlsscanner/serverscanner/guideline/checks/SignatureAndHashAlgorithmsGuidelineCheck.java
@@ -88,17 +88,19 @@ public GuidelineCheckResult evaluate(ServerReport report) {
         }
         if (algorithms == null || algorithms.isEmpty()) {
             return new SignatureAndHashAlgorithmsCertificateGuidelineCheckResult(
-                    getName(), GuidelineAdherence.CHECK_FAILED, null);
+                    getName(), GuidelineAdherence.CHECK_FAILED, null, recommendedAlgorithms);
         }
         Set<SignatureAndHashAlgorithm> notRecommended = new HashSet<>();
         for (SignatureAndHashAlgorithm alg : algorithms) {
             if (!this.recommendedAlgorithms.contains(alg)) {
                 notRecommended.add(alg);
             }
         }
-        return new SignatureAndHashAlgorithmsCertificateGuidelineCheckResult( // TODO this needs to
-                // be a new result now
-                getName(), GuidelineAdherence.of(notRecommended.isEmpty()), notRecommended);
+        return new SignatureAndHashAlgorithmsCertificateGuidelineCheckResult(
+                getName(),
+                GuidelineAdherence.of(notRecommended.isEmpty()),
+                notRecommended,
+                recommendedAlgorithms);
     }
 
     @Override

diff --git a/...e/rub/nds/tlsscanner/serverscanner/guideline/results/CipherSuiteGuidelineCheckResult.java b/...e/rub/nds/tlsscanner/serverscanner/guideline/results/CipherSuiteGuidelineCheckResult.java
@@ -17,13 +17,25 @@
 public class CipherSuiteGuidelineCheckResult extends GuidelineCheckResult {
 
     private final List<CipherSuite> notRecommendedSuites;
+    private final List<CipherSuite> recommendedSuites;
 
     public CipherSuiteGuidelineCheckResult(
             String checkName,
             GuidelineAdherence adherence,
             List<CipherSuite> notRecommendedSuites) {
         super(checkName, adherence);
         this.notRecommendedSuites = notRecommendedSuites;
+        this.recommendedSuites = null;
+    }
+
+    public CipherSuiteGuidelineCheckResult(
+            String checkName,
+            GuidelineAdherence adherence,
+            List<CipherSuite> notRecommendedSuites,
+            List<CipherSuite> recommendedSuites) {
+        super(checkName, adherence);
+        this.notRecommendedSuites = notRecommendedSuites;
+        this.recommendedSuites = recommendedSuites;
     }
 
     @Override
@@ -39,4 +51,8 @@ public String toString() {
     public List<CipherSuite> getNotRecommendedSuites() {
         return notRecommendedSuites;
     }
+
+    public List<CipherSuite> getRecommendedSuites() {
+        return recommendedSuites;
+    }
 }
diff --git a/...ub/nds/tlsscanner/serverscanner/guideline/results/HashAlgorithmsGuidelineCheckResult.java b/...ub/nds/tlsscanner/serverscanner/guideline/results/HashAlgorithmsGuidelineCheckResult.java
@@ -12,19 +12,32 @@
 import de.rub.nds.protocol.constants.HashAlgorithm;
 import de.rub.nds.scanner.core.guideline.GuidelineAdherence;
 import de.rub.nds.scanner.core.guideline.GuidelineCheckResult;
+import java.util.List;
 import java.util.Objects;
 import java.util.Set;
 
 public class HashAlgorithmsGuidelineCheckResult extends GuidelineCheckResult {
 
     private final Set<HashAlgorithm> notRecommendedAlgorithms;
+    private final List<HashAlgorithm> recommendedAlgorithms;
 
     public HashAlgorithmsGuidelineCheckResult(
             String checkName,
             GuidelineAdherence adherence,
             Set<HashAlgorithm> notRecommendedAlgorithms) {
         super(checkName, adherence);
         this.notRecommendedAlgorithms = notRecommendedAlgorithms;
+        this.recommendedAlgorithms = null;
+    }
+
+    public HashAlgorithmsGuidelineCheckResult(
+            String checkName,
+            GuidelineAdherence adherence,
+            Set<HashAlgorithm> notRecommendedAlgorithms,
+            List<HashAlgorithm> recommendedAlgorithms) {
+        super(checkName, adherence);
+        this.notRecommendedAlgorithms = notRecommendedAlgorithms;
+        this.recommendedAlgorithms = recommendedAlgorithms;
     }
 
     @Override
@@ -43,4 +56,8 @@ public String toString() {
     public Set<HashAlgorithm> getNotRecommendedAlgorithms() {
         return notRecommendedAlgorithms;
     }
+
+    public List<HashAlgorithm> getRecommendedAlgorithms() {
+        return recommendedAlgorithms;
+    }
 }
diff --git a/...e/rub/nds/tlsscanner/serverscanner/guideline/results/NamedGroupsGuidelineCheckResult.java b/...e/rub/nds/tlsscanner/serverscanner/guideline/results/NamedGroupsGuidelineCheckResult.java
@@ -21,6 +21,7 @@ public class NamedGroupsGuidelineCheckResult extends GuidelineCheckResult {
     private Set<NamedGroup> notRecommendedGroups;
     private List<NamedGroup> missingRequired;
     private Integer groupCount;
+    private List<NamedGroup> recommendedGroups;
 
     public NamedGroupsGuidelineCheckResult(String checkName, GuidelineAdherence adherence) {
         super(checkName, adherence);
@@ -32,6 +33,16 @@ public NamedGroupsGuidelineCheckResult(
         this.notRecommendedGroups = notRecommendedGroups;
     }
 
+    public NamedGroupsGuidelineCheckResult(
+            String checkName,
+            GuidelineAdherence adherence,
+            Set<NamedGroup> notRecommendedGroups,
+            List<NamedGroup> recommendedGroups) {
+        super(checkName, adherence);
+        this.notRecommendedGroups = notRecommendedGroups;
+        this.recommendedGroups = recommendedGroups;
+    }
+
     public NamedGroupsGuidelineCheckResult(
             String checkName, GuidelineAdherence adherence, List<NamedGroup> missingRequired) {
         super(checkName, adherence);
@@ -77,4 +88,8 @@ public List<NamedGroup> getMissingRequired() {
     public Integer getGroupCount() {
         return groupCount;
     }
+
+    public List<NamedGroup> getRecommendedGroups() {
+        return recommendedGroups;
+    }
 }
diff --git a/...s/tlsscanner/serverscanner/guideline/results/SignatureAlgorithmsGuidelineCheckResult.java b/...s/tlsscanner/serverscanner/guideline/results/SignatureAlgorithmsGuidelineCheckResult.java
@@ -12,19 +12,32 @@
 import de.rub.nds.protocol.constants.SignatureAlgorithm;
 import de.rub.nds.scanner.core.guideline.GuidelineAdherence;
 import de.rub.nds.scanner.core.guideline.GuidelineCheckResult;
+import java.util.List;
 import java.util.Objects;
 import java.util.Set;
 
 public class SignatureAlgorithmsGuidelineCheckResult extends GuidelineCheckResult {
 
     private final Set<SignatureAlgorithm> notRecommendedAlgorithms;
+    private final List<SignatureAlgorithm> recommendedAlgorithms;
 
     public SignatureAlgorithmsGuidelineCheckResult(
             String checkName,
             GuidelineAdherence adherence,
             Set<SignatureAlgorithm> notRecommendedAlgorithms) {
         super(checkName, adherence);
         this.notRecommendedAlgorithms = notRecommendedAlgorithms;
+        this.recommendedAlgorithms = null;
+    }
+
+    public SignatureAlgorithmsGuidelineCheckResult(
+            String checkName,
+            GuidelineAdherence adherence,
+            Set<SignatureAlgorithm> notRecommendedAlgorithms,
+            List<SignatureAlgorithm> recommendedAlgorithms) {
+        super(checkName, adherence);
+        this.notRecommendedAlgorithms = notRecommendedAlgorithms;
+        this.recommendedAlgorithms = recommendedAlgorithms;
     }
 
     @Override
@@ -43,4 +56,8 @@ public String toString() {
     public Set<SignatureAlgorithm> getNotRecommendedAlgorithms() {
         return notRecommendedAlgorithms;
     }
+
+    public List<SignatureAlgorithm> getRecommendedAlgorithms() {
+        return recommendedAlgorithms;
+    }
 }
diff --git a/...rscanner/guideline/results/SignatureAndHashAlgorithmsCertificateGuidelineCheckResult.java b/...rscanner/guideline/results/SignatureAndHashAlgorithmsCertificateGuidelineCheckResult.java
@@ -12,20 +12,33 @@
 import de.rub.nds.scanner.core.guideline.GuidelineAdherence;
 import de.rub.nds.scanner.core.guideline.GuidelineCheckResult;
 import de.rub.nds.tlsattacker.core.constants.SignatureAndHashAlgorithm;
+import java.util.List;
 import java.util.Objects;
 import java.util.Set;
 
 public class SignatureAndHashAlgorithmsCertificateGuidelineCheckResult
         extends GuidelineCheckResult {
 
     private final Set<SignatureAndHashAlgorithm> notRecommendedAlgorithms;
+    private final List<SignatureAndHashAlgorithm> recommendedAlgorithms;
 
     public SignatureAndHashAlgorithmsCertificateGuidelineCheckResult(
             String checkName,
             GuidelineAdherence adherence,
             Set<SignatureAndHashAlgorithm> notRecommendedAlgorithms) {
         super(checkName, adherence);
         this.notRecommendedAlgorithms = notRecommendedAlgorithms;
+        this.recommendedAlgorithms = null;
+    }
+
+    public SignatureAndHashAlgorithmsCertificateGuidelineCheckResult(
+            String checkName,
+            GuidelineAdherence adherence,
+            Set<SignatureAndHashAlgorithm> notRecommendedAlgorithms,
+            List<SignatureAndHashAlgorithm> recommendedAlgorithms) {
+        super(checkName, adherence);
+        this.notRecommendedAlgorithms = notRecommendedAlgorithms;
+        this.recommendedAlgorithms = recommendedAlgorithms;
     }
 
     @Override
@@ -44,4 +57,8 @@ public String toString() {
     public Set<SignatureAndHashAlgorithm> getNotRecommendedAlgorithms() {
         return notRecommendedAlgorithms;
     }
+
+    public List<SignatureAndHashAlgorithm> getRecommendedAlgorithms() {
+        return recommendedAlgorithms;
+    }
 }
diff --git a/...lsscanner/serverscanner/guideline/results/X509SignatureAlgorithmGuidelineCheckResult.java b/...lsscanner/serverscanner/guideline/results/X509SignatureAlgorithmGuidelineCheckResult.java
@@ -12,19 +12,32 @@
 import de.rub.nds.scanner.core.guideline.GuidelineAdherence;
 import de.rub.nds.scanner.core.guideline.GuidelineCheckResult;
 import de.rub.nds.x509attacker.constants.X509SignatureAlgorithm;
+import java.util.List;
 import java.util.Objects;
 import java.util.Set;
 
 public class X509SignatureAlgorithmGuidelineCheckResult extends GuidelineCheckResult {
 
     private final Set<X509SignatureAlgorithm> notRecommendedAlgorithms;
+    private final List<X509SignatureAlgorithm> recommendedAlgorithms;
 
     public X509SignatureAlgorithmGuidelineCheckResult(
             String checkName,
             GuidelineAdherence adherence,
             Set<X509SignatureAlgorithm> notRecommendedAlgorithms) {
         super(checkName, adherence);
         this.notRecommendedAlgorithms = notRecommendedAlgorithms;
+        this.recommendedAlgorithms = null;
+    }
+
+    public X509SignatureAlgorithmGuidelineCheckResult(
+            String checkName,
+            GuidelineAdherence adherence,
+            Set<X509SignatureAlgorithm> notRecommendedAlgorithms,
+            List<X509SignatureAlgorithm> recommendedAlgorithms) {
+        super(checkName, adherence);
+        this.notRecommendedAlgorithms = notRecommendedAlgorithms;
+        this.recommendedAlgorithms = recommendedAlgorithms;
     }
 
     @Override
@@ -43,4 +56,8 @@ public String toString() {
     public Set<X509SignatureAlgorithm> getNotRecommendedAlgorithms() {
         return notRecommendedAlgorithms;
     }
+
+    public List<X509SignatureAlgorithm> getRecommendedAlgorithms() {
+        return recommendedAlgorithms;
+    }
 }
diff --git a/...b/nds/tlsscanner/serverscanner/guideline/results/CipherSuiteGuidelineCheckResultTest.java b/...b/nds/tlsscanner/serverscanner/guideline/results/CipherSuiteGuidelineCheckResultTest.java
@@ -0,0 +1,56 @@
+/*
+ * TLS-Scanner - A TLS configuration and analysis tool based on TLS-Attacker
+ *
+ * Copyright 2017-2023 Ruhr University Bochum, Paderborn University, Technology Innovation Institute, and Hackmanit GmbH
+ *
+ * Licensed under Apache License, Version 2.0
+ * http://www.apache.org/licenses/LICENSE-2.0.txt
+ */
+package de.rub.nds.tlsscanner.serverscanner.guideline.results;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+import de.rub.nds.scanner.core.guideline.GuidelineAdherence;
+import de.rub.nds.tlsattacker.core.constants.CipherSuite;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+import org.junit.jupiter.api.Test;
+
+public class CipherSuiteGuidelineCheckResultTest {
+
+    @Test
+    public void testRecommendedSuitesField() {
+        List<CipherSuite> recommendedSuites =
+                Arrays.asList(
+                        CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+                        CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384);
+        List<CipherSuite> notRecommendedSuites =
+                Collections.singletonList(CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA);
+
+        CipherSuiteGuidelineCheckResult result =
+                new CipherSuiteGuidelineCheckResult(
+                        "Test Check",
+                        GuidelineAdherence.VIOLATED,
+                        notRecommendedSuites,
+                        recommendedSuites);
+
+        assertEquals(recommendedSuites, result.getRecommendedSuites());
+        assertEquals(notRecommendedSuites, result.getNotRecommendedSuites());
+        assertEquals(GuidelineAdherence.VIOLATED, result.getAdherence());
+    }
+
+    @Test
+    public void testBackwardCompatibility() {
+        List<CipherSuite> notRecommendedSuites =
+                Collections.singletonList(CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA);
+
+        CipherSuiteGuidelineCheckResult result =
+                new CipherSuiteGuidelineCheckResult(
+                        "Test Check", GuidelineAdherence.VIOLATED, notRecommendedSuites);
+
+        assertNull(result.getRecommendedSuites());
+        assertEquals(notRecommendedSuites, result.getNotRecommendedSuites());
+        assertEquals(GuidelineAdherence.VIOLATED, result.getAdherence());
+    }
+}