Further (slight) update on cipher quality coloring

TLS_RSA_* which don't fall into the aleady mentioned
    categories (CBC cipher, export, RC4 etc.) are now
    a bit more more penalized. Those are the ones which have
    an RSA key exchange AND a modern encryption.

    pr_cipher_quality() needs to be redone after carefully
    reconsidered which cipher should have which rating.
This commit is contained in:
Dirk 2017-12-25 14:55:12 +01:00
parent 85fa5f4fa9
commit 7a1fb66957

View File

@ -4863,6 +4863,7 @@ pr_ecdh_curve_quality() {
# 1 = pr_svrty_critical, 2 = pr_svrty_high, 3 = pr_svrty_medium, 4 = pr_svrty_low # 1 = pr_svrty_critical, 2 = pr_svrty_high, 3 = pr_svrty_medium, 4 = pr_svrty_low
# 5 = neither good nor bad, 6 = pr_done_good, 7 = pr_done_best # 5 = neither good nor bad, 6 = pr_done_good, 7 = pr_done_best
# #
# Please note this section isn't particular spot on. It needs to be reconsidered/redone
pr_cipher_quality() { pr_cipher_quality() {
local cipher="$1" local cipher="$1"
local text="$2" local text="$2"
@ -4883,6 +4884,11 @@ pr_cipher_quality() {
pr_svrty_high "$text" pr_svrty_high "$text"
return 2 return 2
;; ;;
AES256-GCM-SHA384|AES128-GCM-SHA256|AES256-CCM|AES128-CCM|ARIA256-GCM-SHA384|ARIA128-GCM-SHA256)
# RSA kx and e.g. GCM isn't certainly the best
pr_done_good "$text"
return 6
;;
*GCM*|*CCM*|*CHACHA20*) *GCM*|*CCM*|*CHACHA20*)
pr_done_best "$text" pr_done_best "$text"
return 7 return 7
@ -4913,6 +4919,16 @@ pr_cipher_quality() {
pr_svrty_high "$text" pr_svrty_high "$text"
return 2 return 2
;; ;;
TLS_RSA_*)
if [[ "$cipher" =~ CBC ]]; then
pr_svrty_low "$text"
return 4
else
pr_done_good "$text"
# RSA kx and e.g. GCM isn't certainly the best
return 6
fi
;;
*GCM*|*CCM*|*CHACHA20*) *GCM*|*CCM*|*CHACHA20*)
pr_done_best "$text" pr_done_best "$text"
return 7 return 7