Finalize Weak 128 Bit ciphers

This fixes #1157.

* Move IDEA to the same category as 3DES
* Rename the category to 3DES_IDEA (JSON)
* Rename 128 Bit category to AVERAGE (JSON)
* Move 256 Bit CBC ciphers into this category too
* Remove category HIGH

Furthermore:

* Code readability improvements, especially in run_cipherlists()
* fix minor bugs (e.g. aNULL ciphers were used in higher categories when --ssl-native was supplied)
* rearrange order for sub_cipherlists()
* proper documentation for arguments of sub_cipherlists()  in run_cipherlists()
* add "$cve" "$cwe" arguments to fileout in sub_cipherlists() -- (was passed before but not used)
* change debugging leftover filenames for sub_cipherlists to the JSON identifier
This commit is contained in:
Dirk 2019-02-13 15:44:46 +01:00
parent 3d55d0ebd1
commit 5e9a326dfe
1 changed files with 95 additions and 75 deletions

View File

@ -2997,19 +2997,27 @@ listciphers() {
# argv[5]: string to be appended for fileout # argv[5]: string to be appended for fileout
# argv[6]: non-SSLv2 cipher list to test (hexcodes), if using sockets # argv[6]: non-SSLv2 cipher list to test (hexcodes), if using sockets
# argv[7]: SSLv2 cipher list to test (hexcodes), if using sockets # argv[7]: SSLv2 cipher list to test (hexcodes), if using sockets
# argv[8]: true if using sockets, false if not
# argv[9]: CVE
# argv[10]: CWE
#
sub_cipherlists() { sub_cipherlists() {
local -i i len sclient_success=1 local -i i len sclient_success=1
local cipherlist sslv2_cipherlist detected_ssl2_ciphers local cipherlist sslv2_cipherlist detected_ssl2_ciphers
local singlespaces local singlespaces
local proto="" local proto=""
local -i ret=0 local -i ret=0
local debugname="$(sed -e s'/\!/not/g' -e 's/\:/_/g' <<< "$1")"
local jsonID="cipherlist" local jsonID="cipherlist"
local using_sockets="${8}"
local cve="${9}"
local cwe="${10}"
pr_bold "$3 "
[[ "$OPTIMAL_PROTO" == -ssl2 ]] && proto="$OPTIMAL_PROTO" [[ "$OPTIMAL_PROTO" == -ssl2 ]] && proto="$OPTIMAL_PROTO"
pr_bold "$3 " # to be indented equal to server preferences jsonID="${jsonID}_$5"
if [[ -n "$6" ]] || listciphers "$1" "$2" $proto; then
if [[ -z "$6" ]] || ( "$FAST" && listciphers "$1" "$2" -tls1 ); then if "$using_sockets" || listciphers "$1" "$2" $proto; then
if ! "$using_sockets" || ( "$FAST" && listciphers "$1" "$2" -tls1 ); then
for proto in -no_ssl2 -tls1_2 -tls1_1 -tls1 -ssl3; do for proto in -no_ssl2 -tls1_2 -tls1_1 -tls1 -ssl3; do
if [[ "$proto" == -tls1_2 ]]; then if [[ "$proto" == -tls1_2 ]]; then
# If $OPENSSL doesn't support TLSv1.3 or if no TLSv1.3 # If $OPENSSL doesn't support TLSv1.3 or if no TLSv1.3
@ -3067,10 +3075,10 @@ sub_cipherlists() {
# If server failed with a known error, raise it to the user. # If server failed with a known error, raise it to the user.
if [[ $STARTTLS_PROTOCOL == mysql ]]; then if [[ $STARTTLS_PROTOCOL == mysql ]]; then
pr_warning "SERVER_ERROR: test inconclusive due to MySQL Community Edition (yaSSL) bug." pr_warning "SERVER_ERROR: test inconclusive due to MySQL Community Edition (yaSSL) bug."
fileout "${jsonID}_$5" "WARN" "SERVER_ERROR, test inconclusive due to MySQL Community Edition (yaSSL) bug." fileout "$jsonID" "WARN" "SERVER_ERROR, test inconclusive due to MySQL Community Edition (yaSSL) bug." "$cve" "$cwe"
else else
pr_warning "SERVER_ERROR: test inconclusive." pr_warning "SERVER_ERROR: test inconclusive."
fileout "${jsonID}_$5" "WARN" "SERVER_ERROR, test inconclusive." fileout "$jsonID" "WARN" "SERVER_ERROR, test inconclusive." "$cve" "$cwe"
fi fi
((ret++)) ((ret++))
else else
@ -3079,58 +3087,58 @@ sub_cipherlists() {
2) if [[ $sclient_success -eq 0 ]]; then 2) if [[ $sclient_success -eq 0 ]]; then
# Strong is excellent to offer # Strong is excellent to offer
pr_svrty_best "offered (OK)" pr_svrty_best "offered (OK)"
fileout "${jsonID}_$5" "OK" "offered" fileout "$jsonID" "OK" "offered" "$cve" "$cwe"
else else
pr_svrty_medium "not offered" pr_svrty_medium "not offered"
fileout "${jsonID}_$5" "MEDIUM" "not offered" fileout "$jsonID" "MEDIUM" "not offered" "$cve" "$cwe"
fi fi
;; ;;
1) if [[ $sclient_success -eq 0 ]]; then 1) if [[ $sclient_success -eq 0 ]]; then
# High is good to offer # High is good to offer
pr_svrty_good "offered (OK)" pr_svrty_good "offered (OK)"
fileout "${jsonID}_$5" "OK" "offered" fileout "$jsonID" "OK" "offered" "$cve" "$cwe"
else else
# FIXME: we penalize the absence of high but don't know the result of strong encryption yet (next) # FIXME: we penalize the absence of high but don't know the result of strong encryption yet (next)
pr_svrty_medium "not offered" pr_svrty_medium "not offered"
fileout "${jsonID}_$5" "MEDIUM" "not offered" fileout "$jsonID" "MEDIUM" "not offered" "$cve" "$cwe"
fi fi
;; ;;
0) if [[ $sclient_success -eq 0 ]]; then 0) if [[ $sclient_success -eq 0 ]]; then
# medium is not that bad # medium is not that bad
pr_svrty_low "offered" pr_svrty_low "offered"
fileout "${jsonID}_$5" "LOW" "offered" fileout "$jsonID" "LOW" "offered" "$cve" "$cwe"
else else
out "not offered" out "not offered"
fileout "${jsonID}_$5" "INFO" "not offered" fileout "$jsonID" "INFO" "not offered" "$cve" "$cwe"
fi fi
;; ;;
-1) if [[ $sclient_success -eq 0 ]]; then -1) if [[ $sclient_success -eq 0 ]]; then
# bad but there is worse # bad but there is worse
pr_svrty_high "offered (NOT ok)" pr_svrty_high "offered (NOT ok)"
fileout "${jsonID}_$5" "HIGH" "offered" fileout "$jsonID" "HIGH" "offered" "$cve" "$cwe"
else else
# need a check for -eq 1 here # need a check for -eq 1 here
pr_svrty_good "not offered (OK)" pr_svrty_good "not offered (OK)"
fileout "${jsonID}_$5" "OK" "not offered" fileout "$jsonID" "OK" "not offered" "$cve" "$cwe"
fi fi
;; ;;
-2) if [[ $sclient_success -eq 0 ]]; then -2) if [[ $sclient_success -eq 0 ]]; then
# the ugly ones # the ugly ones
pr_svrty_critical "offered (NOT ok)" pr_svrty_critical "offered (NOT ok)"
fileout "${jsonID}_$5" "CRITICAL" "offered" fileout "$jsonID" "CRITICAL" "offered" "$cve" "$cwe"
else else
pr_svrty_best "not offered (OK)" pr_svrty_best "not offered (OK)"
fileout "${jsonID}_$5" "OK" "not offered" fileout "$jsonID" "OK" "not offered" "$cve" "$cwe"
fi fi
;; ;;
*) # we shouldn't reach this *) # we shouldn't reach this
pr_warning "?: $4 (please report this)" pr_warning "?: $4 (please report this)"
fileout "${jsonID}_$5" "WARN" "return condition $4 unclear" fileout "$jsonID" "WARN" "return condition $4 unclear" "$cve" "$cwe"
((ret++)) ((ret++))
;; ;;
esac esac
fi fi
tmpfile_handle ${FUNCNAME[0]}.$debugname.txt tmpfile_handle ${FUNCNAME[0]}.${5}.txt
[[ $DEBUG -ge 1 ]] && tm_out " -- $1" [[ $DEBUG -ge 1 ]] && tm_out " -- $1"
outln outln
else else
@ -3140,7 +3148,7 @@ sub_cipherlists() {
else else
prln_local_problem "No $singlespaces configured in $OPENSSL" prln_local_problem "No $singlespaces configured in $OPENSSL"
fi fi
fileout "${jsonID}_$5" "WARN" "Cipher $3 ($1) not supported by local OpenSSL ($OPENSSL)" fileout "$jsonID" "WARN" "Cipher $3 ($1) not supported by local OpenSSL ($OPENSSL)"
fi fi
return $ret return $ret
} }
@ -5238,7 +5246,7 @@ run_protocols() {
3) out "not offered, " 3) out "not offered, "
fileout "$jsonID" "OK" "not offered" fileout "$jsonID" "OK" "not offered"
add_tls_offered tls1_2 no add_tls_offered tls1_2 no
pr_warning "TLS downgraded to STARTTLS plaintext"; outl pr_warning "TLS downgraded to STARTTLS plaintext"; outln
fileout "$jsonID" "WARN" "TLS downgraded to STARTTLS plaintext" fileout "$jsonID" "WARN" "TLS downgraded to STARTTLS plaintext"
;; ;;
4) out "likely "; pr_svrty_medium "not offered, " 4) out "likely "; pr_svrty_medium "not offered, "
@ -5451,77 +5459,89 @@ run_protocols() {
#TODO: work with fixed lists here --> atm ok, as sockets are preferred. If there would be a single function for testing: yes. #TODO: work with fixed lists here --> atm ok, as sockets are preferred. If there would be a single function for testing: yes.
run_cipherlists() { run_cipherlists() {
local hexc hexcode strength local hexc hexcode strength
local using_sockets=true
local -i i local -i i
local -i ret=0 local -i ret=0
local null_ciphers="c0,10, c0,06, c0,15, c0,0b, c0,01, c0,3b, c0,3a, c0,39, 00,b9, 00,b8, 00,b5, 00,b4, 00,2e, 00,2d, 00,b1, 00,b0, 00,2c, 00,3b, 00,02, 00,01, 00,82, 00,83, ff,87, 00,ff" local ossl_null_ciphers null_ciphers sslv2_null_ciphers
local sslv2_null_ciphers="FF,80,10, 00,00,00" local ossl_anon_ciphers anon_ciphers sslv2_anon_ciphers
local anon_ciphers="c0,19, 00,a7, 00,6d, 00,3a, 00,c5, 00,89, c0,47, c0,5b, c0,85, c0,18, 00,a6, 00,6c, 00,34, 00,bf, 00,9b, 00,46, c0,46, c0,5a, c0,84, c0,16, 00,18, c0,17, 00,1b, 00,1a, 00,19, 00,17, c0,15, 00,ff" local ossl_exp_ciphers exp_ciphers sslv2_exp_ciphers
local sslv2_anon_ciphers="FF,80,10" local ossl_low_ciphers low_ciphers sslv2_low_ciphers
# ~ grep -i EXP etc/cipher-mapping.txt local ossl_tdes_ciphers tdes_ciphers sslv2_tdes_cipher
local exp_ciphers="00,63, 00,62, 00,61, 00,65, 00,64, 00,60, 00,14, 00,11, 00,19, 00,08, 00,06, 00,27, 00,26, 00,2a, 00,29, 00,0b, 00,0e, 00,17, 00,03, 00,28, 00,2b, 00,ff" local ossl_medium_ciphers medium_ciphers
local sslv2_exp_ciphers="04,00,80, 02,00,80, 00,00,00" local strong_ciphers
# ~ egrep -w '64|56|RC2|RC4' etc/cipher-mapping.txt | grep -v export
local low_ciphers="00,15, 00,12, 00,0f, 00,0c, 00,09, 00,1e, 00,22, fe,fe, ff,e1, c0,11, c0,07, 00,66, c0,0c, c0,02, 00,05, 00,04, 00,92, 00,8a, 00,20, 00,24, c0,33, 00,8e, 00,ff"
local sslv2_low_ciphers="01,00,80, 03,00,80, 08,00,80, 06,00,40, 06,01,40, FF,80,00"
# ~ egrep -w '3DES' etc/cipher-mapping.txt
local tdes_ciphers="c0,12, c0,08, c0,1c, c0,1b, c0,1a, 00,16, 00,13, 00,10, 00,0d, c0,0d, c0,03, 00,0a, 00,93, 00,8b, 00,1f, 00,23, c0,34, 00,8f, fe,ff, ff,e0, 00,ff"
local sslv2_tdes_ciphers="07,00,c0, 07,01,c0"
# ~ egrep -w 128 etc/cipher-mapping.txt | egrep -v "Au=None|AEAD|RC2|RC4"
local medium_ciphers="00,07, 00,21, 00,25, 00,2F, 00,30, 00,31, 00,32, 00,33, 00,3C, 00,3E, 00,3F, 00,40, 00,41, 00,42, 00,43, 00,44, 00,45, 00,67, 00,8C, 00,90, 00,94, 00,96, 00,97, 00,98, 00,99, 00,9A, 00,AE, 00,B2, 00,B6, 00,BA, 00,BB, 00,BC, 00,BD, 00,BE, C0,04, C0,09, C0,0E, C0,13, C0,1D, C0,1E, C0,1F, C0,23, C0,25, C0,27, C0,29, C0,35, C0,37, C0,3C, C0,3E, C0,40, C0,42, C0,44, C0,48, C0,4A, C0,4C, C0,4E, C0,64, C0,66, C0,68, C0,70, C0,72, C0,74, C0,76, C0,78, C0,94, C0,96, C0,98, C0,9A, 00,ff"
# Attention we have a SSLv2 cipher here: IDEA-CBC-MD5 / SSL_CK_IDEA_128_CBC_WITH_MD5
local sslv2_medium_ciphers="05,00,80"
# ~ egrep -w "256" etc/cipher-mapping.txt | grep -v '=None' | egrep -vw 'RC4|AEAD|IDEA|SEED|RC2|GOST'
local high_ciphers="00,35, 00,36, 00,37, 00,38, 00,39, 00,3D, 00,68, 00,69, 00,6A, 00,6B, 00,84, 00,85, 00,86, 00,87, 00,88, 00,8D, 00,91, 00,95, 00,AF, 00,B3, 00,B7, 00,C0, 00,C1, 00,C2, 00,C3, 00,C4, C0,05, C0,0A, C0,0F, C0,14, C0,20, C0,21, C0,22, C0,24, C0,26, C0,28, C0,2A, C0,36, C0,38, C0,3D, C0,3F, C0,41, C0,43, C0,45, C0,49, C0,4B, C0,4D, C0,4F, C0,65, C0,67, C0,69, C0,71, C0,73, C0,75, C0,77, C0,79, C0,95, C0,97, C0,99, C0,9B, 00,ff"
# ~ grep AEAD etc/cipher-mapping.txt | grep -v Au=None
local strong_ciphers="13,01, 13,02, 13,03, 13,04, 13,05, cc,14, cc,13, cc,15, c0,30, c0,2c, 00,a5, 00,a3, 00,a1, 00,9f, cc,a9, cc,a8, cc,aa, c0,af, c0,ad, c0,a3, c0,9f, 00,ad, 00,ab, cc,ae, cc,ad, cc,ac, c0,ab, c0,a7, c0,32, c0,2e, 00,9d, c0,a1, c0,9d, 00,a9, cc,ab, c0,a9, c0,a5, c0,51, c0,53, c0,55, c0,57, c0,59, c0,5d, c0,5f, c0,61, c0,63, c0,6b, c0,6d, c0,6f, c0,7b, c0,7d, c0,7f, c0,81, c0,83, c0,87, c0,89, c0,8b, c0,8d, c0,8f, c0,91, c0,93, 16,b7, 16,b8, 16,b9, 16,ba, c0,2f, c0,2b, 00,a4, 00,a2, 00,a0, 00,9e, c0,ae, c0,ac, c0,a2, c0,9e, 00,ac, 00,aa, c0,aa, c0,a6, c0,a0, c0,9c, 00,a8, c0,a8, c0,a4, c0,31, c0,2d, 00,9c, c0,50, c0,52, c0,54, c0,56, c0,58, c0,5c, c0,5e, c0,60, c0,62, c0,6a, c0,6c, c0,6e, c0,7a, c0,7c, c0,7e, c0,80, c0,82, c0,86, c0,88, c0,8a, c0,8c, c0,8e, c0,90, c0,92, 00,ff"
local cwe="CWE-327" local cwe="CWE-327"
local cwe2="CWE-310" local cwe2="CWE-310"
local cve="" local cve=""
local using_sockets=true
# decoding the >= SSLv3 ciphers in the code above , e.g:
# echo "00,15, c0,11, fe,fe' | sed -e 's/00,/0x00,0x/g' -e 's/c0,/0xc0,0x/g' -e 's/cc,/0xcc,0x/g' -e 's/13,/0x13,0x/g' -e 's/16,/0x16,0x/g' -e 's/fe,/0xfe, 0x/g' -e 's/ff,/0xff,0x/g' -e 's/, /\n/g' |
# while read ci; do grep -wi $ci etc/cipher-mapping.txt; done
"$SSL_NATIVE" && using_sockets=false
if ! "$using_sockets"; then
null_ciphers=""; anon_ciphers=""
exp_ciphers=""; low_ciphers="" medium_ciphers="";
tdes_ciphers=""; high_ciphers=""; strong_ciphers=""
sslv2_null_ciphers=""; sslv2_anon_ciphers=""
sslv2_exp_ciphers=""; sslv2_low_ciphers=""
sslv2_medium_ciphers=""; sslv2_tdes_ciphers=""
fi
outln outln
pr_headlineln " Testing cipher categories " pr_headlineln " Testing cipher categories "
outln outln
# argv[1]: cipher list to test in OpenSSL syntax (see ciphers(1ssl) or run 'openssl ciphers -v/-V)', TLS 1.3 ciphers will be treated automatically "$SSL_NATIVE" && using_sockets=false
# argv[2]: string on console / HTML or "finding"
# argv[3]: rating whether ok to offer # conversion 2 byte ciphers via: echo "$@" | sed -e 's/[[:xdigit:]]\{2\},/0x&/g' -e 's/, /\n/g' | while read ci; do grep -wi $ci etc/cipher-mapping.txt; done
# argv[4]: string to be appended for fileout
# argv[5]: non-SSLv2 cipher list to test (hexcodes), if using sockets ossl_null_ciphers='NULL:eNULL'
# argv[6]: SSLv2 cipher list to test (hexcodes), if using sockets null_ciphers="c0,10, c0,06, c0,15, c0,0b, c0,01, c0,3b, c0,3a, c0,39, 00,b9, 00,b8, 00,b5, 00,b4, 00,2e, 00,2d, 00,b1, 00,b0, 00,2c, 00,3b, 00,02, 00,01, 00,82, 00,83, ff,87, 00,ff"
sub_cipherlists 'NULL:eNULL' "" " NULL ciphers (no encryption) " -2 "NULL" "$null_ciphers" "$sslv2_null_ciphers" "$cve" "$cwe" sslv2_null_ciphers="FF,80,10, 00,00,00"
ossl_anon_ciphers='aNULL:ADH'
anon_ciphers="c0,19, 00,a7, 00,6d, 00,3a, 00,c5, 00,89, c0,47, c0,5b, c0,85, c0,18, 00,a6, 00,6c, 00,34, 00,bf, 00,9b, 00,46, c0,46, c0,5a, c0,84, c0,16, 00,18, c0,17, 00,1b, 00,1a, 00,19, 00,17, c0,15, 00,ff"
sslv2_anon_ciphers="FF,80,10"
ossl_exp_ciphers='EXPORT:!ADH:!NULL'
# grep -i EXP etc/cipher-mapping.txt
exp_ciphers="00,63, 00,62, 00,61, 00,65, 00,64, 00,60, 00,14, 00,11, 00,19, 00,08, 00,06, 00,27, 00,26, 00,2a, 00,29, 00,0b, 00,0e, 00,17, 00,03, 00,28, 00,2b, 00,ff"
sslv2_exp_ciphers="04,00,80, 02,00,80, 00,00,00"
ossl_low_ciphers='LOW:DES:RC2:RC4:!ADH:!EXP:!NULL:!eNULL'
# egrep -w '64|56|RC2|RC4' etc/cipher-mapping.txt | egrep -v 'Au=None|export'
low_ciphers="00,04, 00,05, 00,09, 00,0C, 00,0F, 00,12, 00,15, 00,1E, 00,20, 00,22, 00,24, 00,66, 00,8A, 00,8E, 00,92, C0,02, C0,07, C0,0C, C0,11, C0,33, FE,FE, FF,E1, 00,FF"
sslv2_low_ciphers="01,00,80, 03,00,80, 06,00,40, 06,01,40, 08,00,80, FF,80,00"
ossl_tdes_ciphers='3DES:IDEA:!aNULL:!ADH'
# egrep -w '3DES|IDEA' etc/cipher-mapping.txt | grep -v "Au=None"
tdes_ciphers="00,07, 00,0A, 00,0D, 00,10, 00,13, 00,16, 00,1F, 00,21, 00,23, 00,25, 00,8B, 00,8F, 00,93, C0,03, C0,08, C0,0D, C0,12, C0,1A, C0,1B, C0,1C, C0,34, FE,FF, FF,E0, 00,FF"
sslv2_tdes_ciphers="05,00,80, 07,00,c0, 07,01,c0"
ossl_medium_ciphers='HIGH:MEDIUM:AES:CAMELLIA:ARIA:!IDEA:!CHACHA20:!3DES:!RC2:!RC4:!AESCCM8:!AESCCM:!AESGCM:!ARIAGCM:!aNULL'
# egrep -w "256|128" etc/cipher-mapping.txt | egrep -v "Au=None|AEAD|RC2|RC4|IDEA"
medium_ciphers="00,2F, 00,30, 00,31, 00,32, 00,33, 00,35, 00,36, 00,37, 00,38, 00,39, 00,3C, 00,3D, 00,3E, 00,3F, 00,40, 00,41, 00,42, 00,43, 00,44, 00,45, 00,67, 00,68, 00,69, 00,6A, 00,6B, 00,84, 00,85, 00,86, 00,87, 00,88, 00,8C, 00,8D, 00,90, 00,91, 00,94, 00,95, 00,96, 00,97, 00,98, 00,99, 00,9A, 00,AE, 00,AF, 00,B2, 00,B3, 00,B6, 00,B7, 00,BA, 00,BB, 00,BC, 00,BD, 00,BE, 00,C0, 00,C1, 00,C2, 00,C3, 00,C4, C0,04, C0,05, C0,09, C0,0A, C0,0E, C0,0F, C0,13, C0,14, C0,1D, C0,1E, C0,1F, C0,20, C0,21, C0,22, C0,23, C0,24, C0,25, C0,26, C0,27, C0,28, C0,29, C0,2A, C0,35, C0,36, C0,37, C0,38, C0,3C, C0,3D, C0,3E, C0,3F, C0,40, C0,41, C0,42, C0,43, C0,44, C0,45, C0,48, C0,49, C0,4A, C0,4B, C0,4C, C0,4D, C0,4E, C0,4F, C0,64, C0,65, C0,66, C0,67, C0,68, C0,69, C0,70, C0,71, C0,72, C0,73, C0,74, C0,75, C0,76, C0,77, C0,78, C0,79, C0,94, C0,95, C0,96, C0,97, C0,98, C0,99, C0,9A, C0,9B"
# Workaround: If we use sockets and in order not to hit 132+1 ciphers we omit the GOST ciphers if SERVER_SIZE_LIMIT_BUG is true.
# This won't be supported by Cisco ACE anyway. Catch is, if SERVER_SIZE_LIMIT_BUG was not tested for before (only this function is being called)
"$SERVER_SIZE_LIMIT_BUG" || medium_ciphers="${medium_ciphers}, 00,80, 00,81, FF,00, FF,01, FF,02, FF,03, FF,85"
medium_ciphers="${medium_ciphers}, 00,FF"
# Here's the strongest discrepancy between sockets and OpenSSL
ossl_strong_ciphers='AESGCM:CHACHA20:AESGCM:CamelliaGCM:AESCCM:ARIAGCM'
# grep AEAD etc/cipher-mapping.txt | grep -v Au=None
strong_ciphers="00,9C, 00,9D, 00,9E, 00,9F, 00,A0, 00,A1, 00,A2, 00,A3, 00,A4, 00,A5, 00,A8, 00,A9, 00,AA, 00,AB, 00,AC, 00,AD, 13,01, 13,02, 13,03, 13,04, 13,05, 16,B7, 16,B8, 16,B9, 16,BA, C0,2B, C0,2C, C0,2D, C0,2E, C0,2F, C0,30, C0,31, C0,32, C0,50, C0,51, C0,52, C0,53, C0,54, C0,55, C0,56, C0,57, C0,58, C0,59, C0,5C, C0,5D, C0,5E, C0,5F, C0,60, C0,61, C0,62, C0,63, C0,6A, C0,6B, C0,6C, C0,6D, C0,6E, C0,6F, C0,7A, C0,7B, C0,7C, C0,7D, C0,7E, C0,7F, C0,80, C0,81, C0,82, C0,83, C0,86, C0,87, C0,88, C0,89, C0,8A, C0,8B, C0,8C, C0,8D, C0,8E, C0,8F, C0,90, C0,91, C0,92, C0,93, C0,9C, C0,9D, C0,9E, C0,9F, C0,A0, C0,A1, C0,A2, C0,A3, C0,A4, C0,A5, C0,A6, C0,A7, C0,A8, C0,A9, C0,AA, C0,AB, C0,AC, C0,AD, C0,AE, C0,AF, CC,13, CC,14, CC,15, CC,A8, CC,A9, CC,AA, CC,AB, CC,AC, CC,AD, CC,AE, 00,FF"
# argv[1]: non-TLSv1.3 cipher list to test in OpenSSL syntax
# argv[2]: TLSv1.3 cipher list to test in OpenSSL syntax
# argv[3]: string on console / HTML or "finding"
# argv[4]: rating whether ok to offer
# argv[5]: string to be appended for fileout
# argv[6]: non-SSLv2 cipher list to test (hexcodes), if using sockets
# argv[7]: SSLv2 cipher list to test (hexcodes), if using sockets
# argv[8]: true if using sockets, false if not
# argv[9]: CVE
# argv[10]: CWE
sub_cipherlists "$ossl_null_ciphers" "" " NULL ciphers (no encryption) " -2 "NULL" "$null_ciphers" "$sslv2_null_ciphers" "$using_sockets" "$cve" "$cwe"
ret=$? ret=$?
sub_cipherlists 'aNULL:ADH' "" " Anonymous NULL Ciphers (no authentication)" -2 "aNULL" "$anon_ciphers" "$sslv2_anon_ciphers" "$cve" "$cwe" sub_cipherlists "$ossl_anon_ciphers" "" " Anonymous NULL Ciphers (no authentication)" -2 "aNULL" "$anon_ciphers" "$sslv2_anon_ciphers" "$using_sockets" "$cve" "$cwe"
ret=$((ret + $?)) ret=$((ret + $?))
sub_cipherlists 'EXPORT:!ADH:!NULL' "" " Export ciphers (w/o ADH+NULL) " -2 "EXPORT" "$exp_ciphers" "$sslv2_exp_ciphers" "$cve" "$cwe" sub_cipherlists "$ossl_exp_ciphers" "" " Export ciphers (w/o ADH+NULL) " -2 "EXPORT" "$exp_ciphers" "$sslv2_exp_ciphers" "$using_sockets" "$cve" "$cwe"
ret=$((ret + $?)) ret=$((ret + $?))
sub_cipherlists 'LOW:DES:RC2:RC4:!ADH:!EXP:!NULL' "" " LOW: 64 Bit + DES, RC[2,4] (w/o export) " -2 "LOW" "$low_ciphers" "$sslv2_low_ciphers" "$cve" "$cwe" sub_cipherlists "$ossl_low_ciphers" "" " LOW: 64 Bit + DES, RC[2,4] (w/o export) " -2 "LOW" "$low_ciphers" "$sslv2_low_ciphers" "$using_sockets" "$cve" "$cwe"
ret=$((ret + $?)) ret=$((ret + $?))
sub_cipherlists '3DES:!aNULL:!ADH' "" " Triple DES Ciphers " -1 "3DES" "$tdes_ciphers" "$sslv2_tdes_ciphers" "$cve" "$cwe2" sub_cipherlists "$ossl_tdes_ciphers" "" " Triple DES Ciphers / IDEA " -1 "3DES_IDEA" "$tdes_ciphers" "$sslv2_tdes_ciphers" "$using_sockets" "$cve" "$cwe2"
ret=$((ret + $?)) ret=$((ret + $?))
sub_cipherlists 'MEDIUM:!aNULL:AES128:CAMELLIA128:ARIA128:!CHACHA20:!3DES:!RC2:!RC4:!AESCCM8:!AESCCM:!AESGCM:!ARIAGCM' \ sub_cipherlists "$ossl_medium_ciphers" "" " Average: SEED + 128+256 Bit CBC ciphers " 0 "AVERAGE" "$average_ciphers" "" "$using_sockets" "$cve" "$cwe2"
"" " 128 Bit ciphers (SEED, IDEA, 128 Bit CBC) " 0 "128Bit" "$medium_ciphers" "$sslv2_medium_ciphers" "$cve" "$cwe2"
ret=$((ret + $?)) ret=$((ret + $?))
sub_cipherlists 'HIGH:!NULL:!aNULL:!DES:!3DES:!AESGCM:!CHACHA20:!CamelliaGCM:!AESCCM:!AESCCM8:!AES128:!CAMELLIA128:!ARIAGCM:!ARIACCM' \ sub_cipherlists "$ossl_strong_ciphers" 'ALL' " Strong encryption (AEAD ciphers) " 2 "STRONG" "$strong_ciphers" "" "$using_sockets" "" ""
"" " High encryption (AES/Aria/Camellia, !AEAD)" 1 "HIGH" "$high_ciphers" ""
ret=$((ret + $?))
sub_cipherlists 'AESGCM:CHACHA20:AESGCM:CamelliaGCM:AESCCM:ARIAGCM' 'ALL' \
" Strong encryption (AEAD ciphers) " 2 "STRONG" "$strong_ciphers" ""
ret=$((ret + $?)) ret=$((ret + $?))
outln outln
return $ret return $ret
} }