Address comments in #1205

This commit addresses the comments in #1205. If a server only supports TLS 1.3, then it is not considered an issue if the server does not enforce a cipher order. However, if the server does not support a cipher order for TLS 1.2 and below, then that is an issue, even if the server does support a cipher order for TLS 1.3.
This commit is contained in:
David Cooper 2019-10-28 16:15:38 -04:00 committed by GitHub
parent beec1a7e1e
commit 2810c70163
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -6264,8 +6264,14 @@ run_server_preference() {
[[ $cipher1 == $cipher2 ]] && has_cipher_order=true
fi
debugme echo "has_cipher_order: $has_cipher_order"
debugme echo "has_tls13_cipher_order: $has_tls13_cipher_order"
if ! "$has_cipher_order" && ! "$has_tls13_cipher_order"; then
if "$TLS13_ONLY" && ! "$has_tls13_cipher_order"; then
out "nope"
limitedsense=" (limited sense as client will pick)"
fileout "$jsonID" "INFO" "NOT a cipher order configured"
elif ! "$has_cipher_order" && ! "$has_tls13_cipher_order"; then
# server used the different ends (ciphers) from the client hello
pr_svrty_high "nope (NOT ok)"
limitedsense=" (limited sense as client will pick)"
@ -6274,10 +6280,11 @@ run_server_preference() {
pr_svrty_good "yes (OK)"; out " -- only for < TLS 1.3"
fileout "$jsonID" "OK" "server -- TLS 1.3 client determined"
elif ! "$has_cipher_order" && "$has_tls13_cipher_order"; then
pr_svrty_good "yes (OK)"; out " -- only for TLS 1.3"
fileout "$jsonID" "OK" "server -- < TLS 1.3 client determined"
pr_svrty_high "nope (NOT ok)"; out " -- only for TLS 1.3"
fileout "$jsonID" "HIGH" "server -- < TLS 1.3 client determined"
else
pr_svrty_best "yes (OK)"
"$has_tls13_cipher_order" && out " -- TLS 1.3 and below"
fileout "$jsonID" "OK" "server"
fi
outln