From 045778b2d82eb07fe8c2ee91d30b924382683295 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Wed, 7 Sep 2022 12:45:59 -0700 Subject: [PATCH] Fix #1311 This commit fixes #1311 by only rating the lack of a server-enforced ciper order negatively if there is a difference in the quality rating of the ciphers offered for a particular protocol. --- testssl.sh | 114 +++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 101 insertions(+), 13 deletions(-) diff --git a/testssl.sh b/testssl.sh index 530a706..d7b3b16 100755 --- a/testssl.sh +++ b/testssl.sh @@ -268,6 +268,7 @@ NR_HEADER_FAIL=0 # .. for HTTP_GET PROTOS_OFFERED="" # This keeps which protocol is being offered. See has_server_protocol(). TLS12_CIPHER_OFFERED="" # This contains the hexcode of a cipher known to be supported by the server with TLS 1.2 CURVES_OFFERED="" # This keeps which curves have been detected. Just for error handling +NO_CIPHER_ORDER_LEVEL=5 # This is the finding level to report if the server does not enforce a cipher order for one or more protocol versions. KNOWN_OSSL_PROB=false # We need OpenSSL a few times. This variable is an indicator if we can't connect. Eases handling DETECTED_TLS_VERSION="" # .. as hex string, e.g. 0300 or 0303 APP_TRAF_KEY_INFO="" # Information about the application traffic keys for a TLS 1.3 connection. @@ -4243,6 +4244,7 @@ ciphers_by_strength() { local available proto_supported=false local id local has_dh_bits="$HAS_DH_BITS" + local -i quality worst_cipher=8 best_cipher=0 difference_rating=5 # for local problem if it happens "$wide" || out " " @@ -4505,12 +4507,51 @@ ciphers_by_strength() { fi if "$wide" && [[ "${FUNCNAME[1]}" == run_server_preference ]] && "$proto_supported"; then - if [[ $proto_ossl == tls1_3 ]]; then - outln " (no server order, thus listed by strength)" - elif ! "$serverpref_known"; then + if ! "$serverpref_known"; then outln " (listed by strength)" else - prln_svrty_high " (no server order, thus listed by strength)" + # Determine the best and worst quality level findings for the supported ciphers + for (( i=0 ; i