From 231a29cdfd508a9f2a751e8a5642beccc38d3fef Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Sat, 14 Sep 2019 10:41:54 +0200
Subject: [PATCH] Deprecate TLS 1.0 and TLS 1.1

This commit addresses #1251 and gives a slight warning when still
using those protocols as government standards are or are at least
to expect also to deprecate those protocols. PCI DSS requires not
to use TLS 1.0 anymore and browser vendors supposedly will deprecate
TLS 1.0/1.1 next year.

This is a WIP for testing. It was committed already in May
(22ad490ea7b2868a4fd45862ca0bf8a3d8f24ea6) but somehow it was
lost.

Comments would be appeciated.

Open:
- how to treat non-HTTP protocols
- TLS 1.3 only hosts will mark the absence of TLS 1.2 as
  a medium finding
---
 testssl.sh | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index ac90014..720c4b2 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -1702,9 +1702,9 @@ check_revocation_crl() {
      [[ -n "$GOOD_CA_BUNDLE" ]] || return 0
      scheme="$(tolower "${crl%%://*}")"
      # The code for obtaining CRLs only supports LDAP, HTTP, and HTTPS URLs.
-     [[ "$scheme" == "http" ]] || [[ "$scheme" == "https" ]] || [[ "$scheme" == "ldap" ]] || return 0
+     [[ "$scheme" == http ]] || [[ "$scheme" == https ]] || [[ "$scheme" == ldap ]] || return 0
      tmpfile=$TEMPDIR/${NODE}-${NODEIP}.${crl##*\/} || exit $ERR_FCREATE
-     if [[ "$scheme" == "ldap" ]]; then
+     if [[ "$scheme" == ldap ]]; then
           ldap_get "$crl" "$tmpfile" "$jsonID"
           success=$?
      else
@@ -1737,7 +1737,7 @@ check_revocation_crl() {
           fileout "$jsonID" "OK" "not revoked"
      else
           retcode=$(awk '/error [1-9][0-9]? at [0-9]+ depth lookup:/ { if (!found) {print $2; found=1} }' "${tmpfile%%.crl}.err")
-          if [[ "$retcode" == "23" ]]; then # see verify_retcode_helper()
+          if [[ "$retcode" == 23 ]]; then # see verify_retcode_helper()
                out ", "
                pr_svrty_critical "revoked"
                fileout "$jsonID" "CRITICAL" "revoked"
@@ -5027,8 +5027,8 @@ run_protocols() {
           run_prototest_openssl "-tls1"
      fi
      case $? in
-          0)   outln "offered"
-               fileout "$jsonID" "INFO" "offered"
+          0)   pr_svrty_low "offered" ; outln " (deprecated)"
+               fileout "$jsonID" "LOW" "offered (deprecated)"
                latest_supported="0301"
                latest_supported_string="TLSv1.0"
                add_tls_offered tls1 yes
@@ -5101,8 +5101,8 @@ run_protocols() {
           run_prototest_openssl "-tls1_1"
      fi
      case $? in
-          0)   outln "offered"
-               fileout "$jsonID" "INFO" "offered"
+          0)   pr_svrty_low "offered" ; outln " (deprecated)"
+               fileout "$jsonID" "LOW" "offered (deprecated)"
                latest_supported="0302"
                latest_supported_string="TLSv1.1"
                add_tls_offered tls1_1 yes
@@ -5375,33 +5375,35 @@ run_protocols() {
                latest_supported_string="TLSv1.3"
                add_tls_offered tls1_3 yes
                ;;
-          1)   out "not offered"
+          1)   pr_svrty_low "not offered"
                if ! "$using_sockets" || [[ -z $latest_supported ]]; then
                     outln
-                    fileout "$jsonID" "INFO" "not offered"
+                    fileout "$jsonID" "LOW" "not offered"
                else
                     prln_svrty_critical " -- connection failed rather than downgrading to $latest_supported_string"
                     fileout "$jsonID" "CRITICAL" "connection failed rather than downgrading to $latest_supported_string"
                fi
                add_tls_offered tls1_3 no
                ;;
-          2)   out "not offered"
-               if [[ "$DETECTED_TLS_VERSION" == 0300 ]]; then
+          2)   if [[ "$DETECTED_TLS_VERSION" == 0300 ]]; then
                     detected_version_string="SSLv3"
                elif [[ "$DETECTED_TLS_VERSION" == 03* ]]; then
                     detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))"
                fi
                if [[ "$DETECTED_TLS_VERSION" == "$latest_supported" ]]; then
                     [[ $DEBUG -ge 1 ]] && tm_out " -- downgraded"
-                    outln
-                    fileout "$jsonID" "INFO" "not offered and downgraded to a weaker protocol"
+                    outln "not offered and downgraded to a weaker protocol"
+                    fileout "$jsonID" "INFO" "not offered + downgraded to weaker protocol"
                elif [[ "$DETECTED_TLS_VERSION" == 03* ]] && [[ 0x$DETECTED_TLS_VERSION -lt 0x$latest_supported ]]; then
+                    out "not offered"
                     prln_svrty_critical " -- server supports $latest_supported_string, but downgraded to $detected_version_string"
                     fileout "$jsonID" "CRITICAL" "not offered, and downgraded to $detected_version_string rather than $latest_supported_string"
                elif [[ "$DETECTED_TLS_VERSION" == 03* ]] && [[ 0x$DETECTED_TLS_VERSION -gt 0x0304 ]]; then
+                    out "not offered"
                     prln_svrty_critical " -- server responded with higher version number ($detected_version_string) than requested by client"
                     fileout "$jsonID" "CRITICAL" "not offered, server responded with higher version number ($detected_version_string) than requested by client"
                else
+                    out "not offered"
                     prln_svrty_critical " -- server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}"
                     fileout "$jsonID" "CRITICAL" "server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}"
                fi