mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-03 23:39:45 +01:00
proper rating of dh group length
This commit is contained in:
parent
78612c86a0
commit
6119d8538e
@ -404,7 +404,6 @@ As of writing, these checks are missing:
|
|||||||
* Zombie POODLE - should be graded **F** if vulnerable
|
* Zombie POODLE - should be graded **F** if vulnerable
|
||||||
* All remaining old Symantec PKI certificates are distrusted - should be graded **T**
|
* All remaining old Symantec PKI certificates are distrusted - should be graded **T**
|
||||||
* Symantec certificates issued before June 2016 are distrusted - should be graded **T**
|
* Symantec certificates issued before June 2016 are distrusted - should be graded **T**
|
||||||
* ! A reading of DH params - should give correct points in `set_key_str_score()`
|
|
||||||
* Anonymous key exchange - should give **0** points in `set_key_str_score()`
|
* Anonymous key exchange - should give **0** points in `set_key_str_score()`
|
||||||
* Exportable key exchange - should give **40** points in `set_key_str_score()`
|
* Exportable key exchange - should give **40** points in `set_key_str_score()`
|
||||||
* Weak key (Debian OpenSSL Flaw) - should give **0** points in `set_key_str_score()`
|
* Weak key (Debian OpenSSL Flaw) - should give **0** points in `set_key_str_score()`
|
||||||
|
22
testssl.sh
22
testssl.sh
@ -1030,7 +1030,7 @@ set_grade_warning() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# Sets the score for Category 2 (Key Exchange Strength)
|
# Sets the score for Category 2 (Key Exchange Strength)
|
||||||
# arg1: Short key algorithm ("EC", "DH", "RSA", ...) # Can die, when we get DH_PARAMs
|
# arg1: Short key algorithm ("EC", "DH", "RSA", ...), or "DHE" for ephemeral key size
|
||||||
# arg2: key size (number of bits)
|
# arg2: key size (number of bits)
|
||||||
set_key_str_score() {
|
set_key_str_score() {
|
||||||
local type=$1
|
local type=$1
|
||||||
@ -1038,13 +1038,8 @@ set_key_str_score() {
|
|||||||
|
|
||||||
"$do_rating" || return 0
|
"$do_rating" || return 0
|
||||||
|
|
||||||
# TODO: We need to get the size of DH params (follows the same table as the "else" clause)
|
|
||||||
# For now, verifying the key size will do...
|
|
||||||
if [[ $type == EC ]]; then
|
if [[ $type == EC ]]; then
|
||||||
if [[ $size -lt 110 ]] && [[ $KEY_EXCH_SCORE -gt 20 ]]; then
|
if [[ $size -lt 123 ]] && [[ $KEY_EXCH_SCORE -gt 40 ]]; then
|
||||||
let KEY_EXCH_SCORE=20
|
|
||||||
set_grade_cap "F" "Using an insecure key"
|
|
||||||
elif [[ $size -lt 123 ]] && [[ $KEY_EXCH_SCORE -gt 40 ]]; then
|
|
||||||
let KEY_EXCH_SCORE=40
|
let KEY_EXCH_SCORE=40
|
||||||
set_grade_cap "F" "Using an insecure key"
|
set_grade_cap "F" "Using an insecure key"
|
||||||
elif [[ $size -lt 163 ]] && [[ $KEY_EXCH_SCORE -gt 80 ]]; then
|
elif [[ $size -lt 163 ]] && [[ $KEY_EXCH_SCORE -gt 80 ]]; then
|
||||||
@ -1054,15 +1049,12 @@ set_key_str_score() {
|
|||||||
let KEY_EXCH_SCORE=90
|
let KEY_EXCH_SCORE=90
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
if [[ $size -lt 512 ]] && [[ $KEY_EXCH_SCORE -gt 20 ]]; then
|
if [[ $size -lt 1024 ]] && [[ $KEY_EXCH_SCORE -gt 40 ]]; then
|
||||||
let KEY_EXCH_SCORE=20
|
|
||||||
set_grade_cap "F" "Using an insecure key"
|
|
||||||
elif [[ $size -lt 1024 ]] && [[ $KEY_EXCH_SCORE -gt 40 ]]; then
|
|
||||||
let KEY_EXCH_SCORE=40
|
let KEY_EXCH_SCORE=40
|
||||||
set_grade_cap "F" "Using an insecure key"
|
set_grade_cap "F" "Using an insecure key / DH key exchange parameters"
|
||||||
elif [[ $size -lt 2048 ]] && [[ $KEY_EXCH_SCORE -gt 80 ]]; then
|
elif [[ $size -lt 2048 ]] && [[ $KEY_EXCH_SCORE -gt 80 ]]; then
|
||||||
let KEY_EXCH_SCORE=80
|
let KEY_EXCH_SCORE=80
|
||||||
set_grade_cap "B" "Using a weak key"
|
set_grade_cap "B" "Using a weak key / DH key exchange parameters"
|
||||||
elif [[ $size -lt 4096 ]] && [[ $KEY_EXCH_SCORE -gt 90 ]]; then
|
elif [[ $size -lt 4096 ]] && [[ $KEY_EXCH_SCORE -gt 90 ]]; then
|
||||||
let KEY_EXCH_SCORE=90
|
let KEY_EXCH_SCORE=90
|
||||||
fi
|
fi
|
||||||
@ -16677,7 +16669,6 @@ run_logjam() {
|
|||||||
if "$vuln_exportdh_ciphers"; then
|
if "$vuln_exportdh_ciphers"; then
|
||||||
pr_svrty_high "VULNERABLE (NOT ok):"; out " uses DH EXPORT ciphers"
|
pr_svrty_high "VULNERABLE (NOT ok):"; out " uses DH EXPORT ciphers"
|
||||||
fileout "$jsonID" "HIGH" "VULNERABLE, uses DH EXPORT ciphers" "$cve" "$cwe" "$hint"
|
fileout "$jsonID" "HIGH" "VULNERABLE, uses DH EXPORT ciphers" "$cve" "$cwe" "$hint"
|
||||||
set_grade_cap "B" "Uses weak DH key exchange parameters (vulnerable to LOGJAM)"
|
|
||||||
if [[ $subret -eq 3 ]]; then
|
if [[ $subret -eq 3 ]]; then
|
||||||
out ", no DH key detected with <= TLS 1.2"
|
out ", no DH key detected with <= TLS 1.2"
|
||||||
fileout "$jsonID2" "OK" "no DH key detected with <= TLS 1.2"
|
fileout "$jsonID2" "OK" "no DH key detected with <= TLS 1.2"
|
||||||
@ -16693,7 +16684,6 @@ run_logjam() {
|
|||||||
else
|
else
|
||||||
if [[ $subret -eq 1 ]]; then
|
if [[ $subret -eq 1 ]]; then
|
||||||
out_common_prime "$jsonID2" "$cve" "$cwe"
|
out_common_prime "$jsonID2" "$cve" "$cwe"
|
||||||
set_grade_cap "A" "Uses known DH key exchange parameters"
|
|
||||||
if ! "$openssl_no_expdhciphers"; then
|
if ! "$openssl_no_expdhciphers"; then
|
||||||
outln ","
|
outln ","
|
||||||
out "${spaces}but no DH EXPORT ciphers${addtl_warning}"
|
out "${spaces}but no DH EXPORT ciphers${addtl_warning}"
|
||||||
@ -16726,6 +16716,8 @@ run_logjam() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
[[ $DH_GROUP_LEN_P -gt 0 ]] && set_key_str_score "DHE" $DH_GROUP_LEN_P
|
||||||
|
|
||||||
outln
|
outln
|
||||||
tmpfile_handle ${FUNCNAME[0]}.txt
|
tmpfile_handle ${FUNCNAME[0]}.txt
|
||||||
return $ret
|
return $ret
|
||||||
|
Loading…
Reference in New Issue
Block a user