Fix naming of average ciphers
... which lead to a problem with CBC ciphers. See #1157
This commit is contained in:
parent
bd2e10bffe
commit
1769378139
12
testssl.sh
12
testssl.sh
|
@ -5468,7 +5468,7 @@ run_cipherlists() {
|
||||||
local ossl_exp_ciphers exp_ciphers sslv2_exp_ciphers
|
local ossl_exp_ciphers exp_ciphers sslv2_exp_ciphers
|
||||||
local ossl_low_ciphers low_ciphers sslv2_low_ciphers
|
local ossl_low_ciphers low_ciphers sslv2_low_ciphers
|
||||||
local ossl_tdes_ciphers tdes_ciphers sslv2_tdes_cipher
|
local ossl_tdes_ciphers tdes_ciphers sslv2_tdes_cipher
|
||||||
local ossl_medium_ciphers medium_ciphers
|
local ossl_average_ciphers average_ciphers
|
||||||
local strong_ciphers
|
local strong_ciphers
|
||||||
local cwe="CWE-327"
|
local cwe="CWE-327"
|
||||||
local cwe2="CWE-310"
|
local cwe2="CWE-310"
|
||||||
|
@ -5505,13 +5505,13 @@ run_cipherlists() {
|
||||||
tdes_ciphers="00,07, 00,0A, 00,0D, 00,10, 00,13, 00,16, 00,1F, 00,21, 00,23, 00,25, 00,8B, 00,8F, 00,93, C0,03, C0,08, C0,0D, C0,12, C0,1A, C0,1B, C0,1C, C0,34, FE,FF, FF,E0, 00,FF"
|
tdes_ciphers="00,07, 00,0A, 00,0D, 00,10, 00,13, 00,16, 00,1F, 00,21, 00,23, 00,25, 00,8B, 00,8F, 00,93, C0,03, C0,08, C0,0D, C0,12, C0,1A, C0,1B, C0,1C, C0,34, FE,FF, FF,E0, 00,FF"
|
||||||
sslv2_tdes_ciphers="05,00,80, 07,00,c0, 07,01,c0"
|
sslv2_tdes_ciphers="05,00,80, 07,00,c0, 07,01,c0"
|
||||||
|
|
||||||
ossl_medium_ciphers='HIGH:MEDIUM:AES:CAMELLIA:ARIA:!IDEA:!CHACHA20:!3DES:!RC2:!RC4:!AESCCM8:!AESCCM:!AESGCM:!ARIAGCM:!aNULL'
|
ossl_average_ciphers='HIGH:MEDIUM:AES:CAMELLIA:ARIA:!IDEA:!CHACHA20:!3DES:!RC2:!RC4:!AESCCM8:!AESCCM:!AESGCM:!ARIAGCM:!aNULL'
|
||||||
# egrep -w "256|128" etc/cipher-mapping.txt | egrep -v "Au=None|AEAD|RC2|RC4|IDEA"
|
# egrep -w "256|128" etc/cipher-mapping.txt | egrep -v "Au=None|AEAD|RC2|RC4|IDEA"
|
||||||
medium_ciphers="00,2F, 00,30, 00,31, 00,32, 00,33, 00,35, 00,36, 00,37, 00,38, 00,39, 00,3C, 00,3D, 00,3E, 00,3F, 00,40, 00,41, 00,42, 00,43, 00,44, 00,45, 00,67, 00,68, 00,69, 00,6A, 00,6B, 00,84, 00,85, 00,86, 00,87, 00,88, 00,8C, 00,8D, 00,90, 00,91, 00,94, 00,95, 00,96, 00,97, 00,98, 00,99, 00,9A, 00,AE, 00,AF, 00,B2, 00,B3, 00,B6, 00,B7, 00,BA, 00,BB, 00,BC, 00,BD, 00,BE, 00,C0, 00,C1, 00,C2, 00,C3, 00,C4, C0,04, C0,05, C0,09, C0,0A, C0,0E, C0,0F, C0,13, C0,14, C0,1D, C0,1E, C0,1F, C0,20, C0,21, C0,22, C0,23, C0,24, C0,25, C0,26, C0,27, C0,28, C0,29, C0,2A, C0,35, C0,36, C0,37, C0,38, C0,3C, C0,3D, C0,3E, C0,3F, C0,40, C0,41, C0,42, C0,43, C0,44, C0,45, C0,48, C0,49, C0,4A, C0,4B, C0,4C, C0,4D, C0,4E, C0,4F, C0,64, C0,65, C0,66, C0,67, C0,68, C0,69, C0,70, C0,71, C0,72, C0,73, C0,74, C0,75, C0,76, C0,77, C0,78, C0,79, C0,94, C0,95, C0,96, C0,97, C0,98, C0,99, C0,9A, C0,9B"
|
average_ciphers="00,2F, 00,30, 00,31, 00,32, 00,33, 00,35, 00,36, 00,37, 00,38, 00,39, 00,3C, 00,3D, 00,3E, 00,3F, 00,40, 00,41, 00,42, 00,43, 00,44, 00,45, 00,67, 00,68, 00,69, 00,6A, 00,6B, 00,84, 00,85, 00,86, 00,87, 00,88, 00,8C, 00,8D, 00,90, 00,91, 00,94, 00,95, 00,96, 00,97, 00,98, 00,99, 00,9A, 00,AE, 00,AF, 00,B2, 00,B3, 00,B6, 00,B7, 00,BA, 00,BB, 00,BC, 00,BD, 00,BE, 00,C0, 00,C1, 00,C2, 00,C3, 00,C4, C0,04, C0,05, C0,09, C0,0A, C0,0E, C0,0F, C0,13, C0,14, C0,1D, C0,1E, C0,1F, C0,20, C0,21, C0,22, C0,23, C0,24, C0,25, C0,26, C0,27, C0,28, C0,29, C0,2A, C0,35, C0,36, C0,37, C0,38, C0,3C, C0,3D, C0,3E, C0,3F, C0,40, C0,41, C0,42, C0,43, C0,44, C0,45, C0,48, C0,49, C0,4A, C0,4B, C0,4C, C0,4D, C0,4E, C0,4F, C0,64, C0,65, C0,66, C0,67, C0,68, C0,69, C0,70, C0,71, C0,72, C0,73, C0,74, C0,75, C0,76, C0,77, C0,78, C0,79, C0,94, C0,95, C0,96, C0,97, C0,98, C0,99, C0,9A, C0,9B"
|
||||||
# Workaround: If we use sockets and in order not to hit 132+1 ciphers we omit the GOST ciphers if SERVER_SIZE_LIMIT_BUG is true.
|
# Workaround: If we use sockets and in order not to hit 132+1 ciphers we omit the GOST ciphers if SERVER_SIZE_LIMIT_BUG is true.
|
||||||
# This won't be supported by Cisco ACE anyway. Catch is, if SERVER_SIZE_LIMIT_BUG was not tested for before (only this function is being called)
|
# This won't be supported by Cisco ACE anyway. Catch is, if SERVER_SIZE_LIMIT_BUG was not tested for before (only this function is being called)
|
||||||
"$SERVER_SIZE_LIMIT_BUG" || medium_ciphers="${medium_ciphers}, 00,80, 00,81, FF,00, FF,01, FF,02, FF,03, FF,85"
|
"$SERVER_SIZE_LIMIT_BUG" || average_ciphers="${average_ciphers}, 00,80, 00,81, FF,00, FF,01, FF,02, FF,03, FF,85"
|
||||||
medium_ciphers="${medium_ciphers}, 00,FF"
|
average_ciphers="${average_ciphers}, 00,FF"
|
||||||
|
|
||||||
# Here's the strongest discrepancy between sockets and OpenSSL
|
# Here's the strongest discrepancy between sockets and OpenSSL
|
||||||
ossl_strong_ciphers='AESGCM:CHACHA20:AESGCM:CamelliaGCM:AESCCM:ARIAGCM'
|
ossl_strong_ciphers='AESGCM:CHACHA20:AESGCM:CamelliaGCM:AESCCM:ARIAGCM'
|
||||||
|
@ -5539,7 +5539,7 @@ run_cipherlists() {
|
||||||
ret=$((ret + $?))
|
ret=$((ret + $?))
|
||||||
sub_cipherlists "$ossl_tdes_ciphers" "" " Triple DES Ciphers / IDEA " -1 "3DES_IDEA" "$tdes_ciphers" "$sslv2_tdes_ciphers" "$using_sockets" "$cve" "$cwe2"
|
sub_cipherlists "$ossl_tdes_ciphers" "" " Triple DES Ciphers / IDEA " -1 "3DES_IDEA" "$tdes_ciphers" "$sslv2_tdes_ciphers" "$using_sockets" "$cve" "$cwe2"
|
||||||
ret=$((ret + $?))
|
ret=$((ret + $?))
|
||||||
sub_cipherlists "$ossl_medium_ciphers" "" " Average: SEED + 128+256 Bit CBC ciphers " 0 "AVERAGE" "$average_ciphers" "" "$using_sockets" "$cve" "$cwe2"
|
sub_cipherlists "$ossl_average_ciphers" "" " Average: SEED + 128+256 Bit CBC ciphers " 0 "AVERAGE" "$average_ciphers" "" "$using_sockets" "$cve" "$cwe2"
|
||||||
ret=$((ret + $?))
|
ret=$((ret + $?))
|
||||||
sub_cipherlists "$ossl_strong_ciphers" 'ALL' " Strong encryption (AEAD ciphers) " 2 "STRONG" "$strong_ciphers" "" "$using_sockets" "" ""
|
sub_cipherlists "$ossl_strong_ciphers" 'ALL' " Strong encryption (AEAD ciphers) " 2 "STRONG" "$strong_ciphers" "" "$using_sockets" "" ""
|
||||||
ret=$((ret + $?))
|
ret=$((ret + $?))
|
||||||
|
|
Loading…
Reference in New Issue