From 7a1fb66957b60a7b28f7d6e54964a3eced587894 Mon Sep 17 00:00:00 2001 From: Dirk Date: Mon, 25 Dec 2017 14:55:12 +0100 Subject: [PATCH] Further (slight) update on cipher quality coloring TLS_RSA_* which don't fall into the aleady mentioned categories (CBC cipher, export, RC4 etc.) are now a bit more more penalized. Those are the ones which have an RSA key exchange AND a modern encryption. pr_cipher_quality() needs to be redone after carefully reconsidered which cipher should have which rating. --- testssl.sh | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/testssl.sh b/testssl.sh index c4218a5..1bbc38d 100755 --- a/testssl.sh +++ b/testssl.sh @@ -4863,6 +4863,7 @@ pr_ecdh_curve_quality() { # 1 = pr_svrty_critical, 2 = pr_svrty_high, 3 = pr_svrty_medium, 4 = pr_svrty_low # 5 = neither good nor bad, 6 = pr_done_good, 7 = pr_done_best # +# Please note this section isn't particular spot on. It needs to be reconsidered/redone pr_cipher_quality() { local cipher="$1" local text="$2" @@ -4883,6 +4884,11 @@ pr_cipher_quality() { pr_svrty_high "$text" return 2 ;; + AES256-GCM-SHA384|AES128-GCM-SHA256|AES256-CCM|AES128-CCM|ARIA256-GCM-SHA384|ARIA128-GCM-SHA256) + # RSA kx and e.g. GCM isn't certainly the best + pr_done_good "$text" + return 6 + ;; *GCM*|*CCM*|*CHACHA20*) pr_done_best "$text" return 7 @@ -4913,6 +4919,16 @@ pr_cipher_quality() { pr_svrty_high "$text" return 2 ;; + TLS_RSA_*) + if [[ "$cipher" =~ CBC ]]; then + pr_svrty_low "$text" + return 4 + else + pr_done_good "$text" + # RSA kx and e.g. GCM isn't certainly the best + return 6 + fi + ;; *GCM*|*CCM*|*CHACHA20*) pr_done_best "$text" return 7