ANSSI Reco-TLS R1 in plain English
ANSSI is the French national cybersecurity agency. Their "Recommendations for the Security of TLS Implementations" (Reco-TLS) is the reference document EU regulators (ARS for healthcare, ACPR for banking, CNIL for personal data) consult when assessing compliance. The current version is 1.2, dated 2020-03; an update is expected in 2026.
It's also one of the strictest publicly available TLS standards. Aligning to ANSSI Reco-TLS gets you well above PCI-DSS 4.0 baseline. UnveilScan grades against R1, R2, R5, R6, R10, R12 and a few others by default. Below is the engineer's summary.
R1 — TLS version
"TLS 1.2 SHOULD be considered the minimum acceptable version. TLS 1.3 SHOULD be supported and preferred. TLS 1.0 and 1.1 MUST NOT be supported."
Same as PCI-DSS 4.0 §4.2.1. TLS 1.0/1.1 banned. TLS 1.3 preferred. We grade
tls.legacy_protocol_enabled CRITICAL on this. Trade-off discussion in our
Google article.
R2 — Cipher suites
The recommended cipher suite list (R2):
TLS 1.2:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS 1.3:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256ECDHE for forward secrecy, AEAD modes (GCM or ChaCha20-Poly1305) only. No CBC. No static RSA / ECDH. No anonymous DH. No NULL. No EXPORT. No 3DES. No RC4. No SHA-1 in HMAC.
R5 — Curves
Approved ECC curves: P-256, P-384, P-521 (NIST), brainpoolP256r1 / brainpoolP384r1 (German BSI). Curve25519 is "tolerated" — modern, widely deployed, but not formally endorsed by ANSSI. Most setups use P-256 or X25519 (TLS 1.3) without issue.
R6 — Key sizes
| Algorithm | Minimum | Recommended |
|---|---|---|
| RSA | 2048 bits | 3072 bits (4096 bits "very strong") |
| DSA / DH | 2048 bits | 3072 bits |
| ECC | 256 bits (P-256) | 384 bits (P-384) |
RSA < 2048 is HIGH severity in our checkers. RSA < 1024 is CRITICAL. Most modern certs are 2048 RSA or 256-bit ECDSA — both meet the minimum.
R10 — Certificate validity
Maximum cert lifetime: 825 days at the time of writing. That's already conservative compared to Let's Encrypt's 90-day default and the upcoming 47-day baseline (cf. our article). No issue here for ACME-managed environments.
R12 — Server name indication
SNI (Server Name Indication) is required for shared-IP environments. Encrypted SNI (eSNI) and Encrypted Client Hello (ECH) are "recommended where supported". Most modern servers do SNI by default.
R20 — Session resumption
TLS session tickets MUST rotate the encryption key periodically. nginx's default is
never to rotate, which fails this. Easiest fix: ssl_session_tickets off;
(disable resumption) or implement key rotation via cron. Our
tls_extended checker flags non-rotated tickets in the Extended profile.
The full Reco-TLS document
Available free from cyber.gouv.fr. Look for "Recommandations de sécurité relatives à TLS". The English translation is usually published 6-12 months after the French version.
How UnveilScan grades against ANSSI
Each finding's compliance mapping (in the JSON export) lists the relevant ANSSI rule, e.g.:
{
"slug": "tls.legacy_protocol_enabled",
"compliance": [
{"framework": "ANSSI", "ref": "Reco-TLS R1", "title": "TLS 1.0/1.1 prohibited"},
{"framework": "PCI-DSS 4.0", "ref": "4.2.1", "title": "Strong cryptography only"},
{"framework": "RFC 8996", "ref": "BCP", "title": "TLS 1.0/1.1 MUST NOT be used"}
]
}Hand the JSON to your auditor; the references are the column they'll fill in their workbook anyway.
Audit against ANSSI standards
Extended scan emits ANSSI-mapped compliance references per finding.
See pricing