From 045778b2d82eb07fe8c2ee91d30b924382683295 Mon Sep 17 00:00:00 2001
From: David Cooper <david.cooper@nist.gov>
Date: Wed, 7 Sep 2022 12:45:59 -0700
Subject: [PATCH 1/2] Fix #1311

This commit fixes #1311 by only rating the lack of a server-enforced ciper order negatively if there is a difference in the quality rating of the ciphers offered for a particular protocol.
---
 testssl.sh | 114 +++++++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 101 insertions(+), 13 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index 530a706..d7b3b16 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -268,6 +268,7 @@ NR_HEADER_FAIL=0                        # .. for HTTP_GET
 PROTOS_OFFERED=""                       # This keeps which protocol is being offered. See has_server_protocol().
 TLS12_CIPHER_OFFERED=""                 # This contains the hexcode of a cipher known to be supported by the server with TLS 1.2
 CURVES_OFFERED=""                       # This keeps which curves have been detected. Just for error handling
+NO_CIPHER_ORDER_LEVEL=5                 # This is the finding level to report if the server does not enforce a cipher order for one or more protocol versions.
 KNOWN_OSSL_PROB=false                   # We need OpenSSL a few times. This variable is an indicator if we can't connect. Eases handling
 DETECTED_TLS_VERSION=""                 # .. as hex string, e.g. 0300 or 0303
 APP_TRAF_KEY_INFO=""                    # Information about the application traffic keys for a TLS 1.3 connection.
@@ -4243,6 +4244,7 @@ ciphers_by_strength() {
      local available proto_supported=false
      local id
      local has_dh_bits="$HAS_DH_BITS"
+     local -i quality worst_cipher=8 best_cipher=0 difference_rating=5
 
      # for local problem if it happens
      "$wide" || out "  "
@@ -4505,12 +4507,51 @@ ciphers_by_strength() {
      fi
 
      if "$wide" && [[ "${FUNCNAME[1]}" == run_server_preference ]] && "$proto_supported"; then
-          if [[ $proto_ossl == tls1_3 ]]; then
-               outln " (no server order, thus listed by strength)"
-          elif ! "$serverpref_known"; then
+          if ! "$serverpref_known"; then
                outln " (listed by strength)"
           else
-               prln_svrty_high " (no server order, thus listed by strength)"
+               # Determine the best and worst quality level findings for the supported ciphers
+               for (( i=0 ; i<nr_ciphers; i++ )); do
+                    if "${ciphers_found[i]}"; then
+                         if [[ "${rfc_ciph[i]}" != - ]]; then
+                              get_cipher_quality "${rfc_ciph[i]}"
+                         else
+                              get_cipher_quality ${ciph[i]}
+                         fi
+                         quality=$?
+                         [[ $quality -lt $worst_cipher ]] && worst_cipher=$quality
+                         [[ $quality -gt $best_cipher ]] && best_cipher=$quality
+                    fi
+               done
+               # Assign a rating (severity level) based on the difference between the levels
+               # of the best and worst supported ciphers.
+               if [[ $worst_cipher -ne $best_cipher ]]; then
+                    case $best_cipher in
+                         3|5|6|7)
+                              difference_rating=$worst_cipher
+                              [[ $difference_rating -gt 5 ]] && difference_rating=5
+                              ;;
+                         4)
+                              case $worst_cipher in
+                                   3) difference_rating=4 ;;
+                                   2) difference_rating=2 ;;
+                                   1) difference_rating=1 ;;
+                              esac
+                              ;;
+                         2)
+                              difference_rating=2
+                              ;;
+                    esac
+               fi
+               
+               [[ $difference_rating -lt $NO_CIPHER_ORDER_LEVEL ]] && NO_CIPHER_ORDER_LEVEL=$difference_rating
+               case $difference_rating in
+                    5) outln " (no server order, thus listed by strength)" ;;
+                    4) prln_svrty_low " (no server order, thus listed by strength)" ;; 
+                    3) prln_svrty_medium " (no server order, thus listed by strength)" ;;
+                    2) prln_svrty_high " (no server order, thus listed by strength)" ;;
+                    1) prln_svrty_critical " (no server order, thus listed by strength)" ;;
+               esac
           fi
      elif "$wide" && "$proto_supported" || [[ $proto != -ssl2 ]]; then
           outln
@@ -6650,7 +6691,7 @@ run_server_preference() {
      local has_cipher_order=false has_tls13_cipher_order=false
      local addcmd="" addcmd2=""
      local using_sockets=true
-     local jsonID="cipher_order"
+     local jsonID="cipher_order" fileout_msg="" fileout_rating="" terminal_msg=""
      local cwe="CWE-310"
      local cve=""
 
@@ -6824,23 +6865,58 @@ run_server_preference() {
 
      pr_bold " Has server cipher order?     "
      jsonID="cipher_order"
+     case $NO_CIPHER_ORDER_LEVEL in
+          5) fileout_rating="INFO" ;;
+          4) fileout_rating="LOW" ;;
+          3) fileout_rating="MEDIUM" ;;
+          2) fileout_rating="HIGH" ;;
+          1) fileout_rating="CRITICAL" ;;
+     esac
      if "$TLS13_ONLY" && ! "$has_tls13_cipher_order"; then
-          out "no (TLS 1.3 only)"
+          terminal_msg="no (TLS 1.3 only)"
           limitedsense=" (limited sense as client will pick)"
-          fileout "$jsonID" "INFO" "not a cipher order for TLS 1.3 configured"
+          fileout_msg="not a cipher order for TLS 1.3 configured"
      elif ! "$TLS13_ONLY" && [[ -z "$cipher2" ]]; then
           pr_warning "unable to determine"
      elif ! "$has_cipher_order" && ! "$has_tls13_cipher_order"; then
           # server used the different ends (ciphers) from the client hello
-          pr_svrty_high "no (NOT ok)"
+          terminal_msg="no (NOT ok)"
+          [[ "$fileout_rating" == INFO ]] && terminal_msg="no"
           limitedsense=" (limited sense as client will pick)"
-          fileout "$jsonID" "HIGH" "NOT a cipher order configured"
+          fileout_msg="NOT a cipher order configured"
      elif "$has_cipher_order" && ! "$has_tls13_cipher_order" && [[ "$default_proto" == TLSv1.3 ]]; then
-          pr_svrty_good "yes (OK)"; out " -- only for < TLS 1.3"
-          fileout "$jsonID" "OK" "server -- TLS 1.3 client determined"
+          if [[ $NO_CIPHER_ORDER_LEVEL -eq 5 ]]; then
+               pr_svrty_good "yes (OK)"; out " -- only for < TLS 1.3"
+               fileout "$jsonID" "OK" "server -- TLS 1.3 client determined"
+          else
+               # The server does not enforce a cipher order for TLS 1.3 and it
+               # accepts some lower quality TLS 1.3 ciphers.
+               terminal_msg="only for < TLS 1.3"
+               fileout_msg="server -- TLS 1.3 client determined"
+          fi
      elif ! "$has_cipher_order" && "$has_tls13_cipher_order"; then
-          pr_svrty_high "no (NOT ok)"; out " -- only for TLS 1.3"
-          fileout "$jsonID" "HIGH" "server -- < TLS 1.3 client determined"
+          case "$fileout_rating" in
+               "INFO") 
+                    out "only for TLS 1.3"
+                    fileout "$jsonID" "INFO" "server -- < TLS 1.3 client determined"
+                    ;;
+               "LOW")
+                    pr_svrty_low "no (NOT ok)"; out " -- only for TLS 1.3"
+                    fileout "$jsonID" "LOW" "server -- < TLS 1.3 client determined"
+                    ;;
+               "MEDIUM")
+                    pr_svrty_medium "no (NOT ok)"; out " -- only for TLS 1.3"
+                    fileout "$jsonID" "MEDIUM" "server -- < TLS 1.3 client determined"
+                    ;;
+               "HIGH")
+                    pr_svrty_high "no (NOT ok)"; out " -- only for TLS 1.3"
+                    fileout "$jsonID" "HIGH" "server -- < TLS 1.3 client determined"
+                    ;;
+               "CRITICAL")
+                    pr_svrty_critical "no (NOT ok)"; out " -- only for TLS 1.3"
+                    fileout "$jsonID" "CRITICAL" "server -- < TLS 1.3 client determined"
+                    ;;
+          esac
      else
           if "$has_tls13_cipher_order"; then
                if "$TLS13_ONLY"; then
@@ -6857,6 +6933,17 @@ run_server_preference() {
                fileout "$jsonID" "OK" "server"
           fi
      fi
+     if [[ -n "$fileout_msg" ]]; then
+          case "$fileout_rating" in
+               "INFO") out "$terminal_msg" ;;
+               "OK") pr_svrty_good "$terminal_msg" ;;
+               "LOW") pr_svrty_low "$terminal_msg" ;;
+               "MEDIUM") pr_svrty_medium "$terminal_msg" ;;
+               "HIGH") pr_svrty_high "$terminal_msg" ;;
+               "CRITICAL") pr_svrty_critical "$terminal_msg" ;;
+          esac
+          fileout "$jsonID" "$fileout_rating" "$fileout_msg"
+     fi
      outln
 
      pr_bold " Negotiated protocol          "
@@ -23469,6 +23556,7 @@ reset_hostdepended_vars() {
      PROTOS_OFFERED=""
      TLS12_CIPHER_OFFERED=""
      CURVES_OFFERED=""
+     NO_CIPHER_ORDER_LEVEL=5
      KNOWN_OSSL_PROB=false
      TLS13_ONLY=false
      CLIENT_AUTH="none"

From 5c889bde0fd29113e567f77d133eb76021c88a90 Mon Sep 17 00:00:00 2001
From: David Cooper <david.cooper@nist.gov>
Date: Thu, 20 Oct 2022 12:29:12 -0700
Subject: [PATCH 2/2] Include cipher order information in file output on a per
 protocol basis

This commit fileout() calls to ciphers_by_strength() and cipher_pref_check() to indicate whether or not the server enforces a cipher order for a protocol version.
---
 t/baseline_data/default_testssl.csvfile |  4 ++++
 testssl.sh                              | 28 ++++++++++++++++++++-----
 2 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/t/baseline_data/default_testssl.csvfile b/t/baseline_data/default_testssl.csvfile
index dbb3ba0..9598077 100644
--- a/t/baseline_data/default_testssl.csvfile
+++ b/t/baseline_data/default_testssl.csvfile
@@ -18,6 +18,7 @@
 "cipherlist_AVERAGE","testssl.sh/81.169.166.184","443","LOW","offered","","CWE-310"
 "cipherlist_GOOD","testssl.sh/81.169.166.184","443","OK","offered","",""
 "cipherlist_STRONG","testssl.sh/81.169.166.184","443","OK","offered","",""
+"cipher_order-tls1","testssl.sh/81.169.166.184","443","OK","server","",""
 "cipher-tls1_xc014","testssl.sh/81.169.166.184","443","LOW","TLSv1   xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","",""
 "cipher-tls1_xc013","testssl.sh/81.169.166.184","443","LOW","TLSv1   xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","",""
 "cipher-tls1_x88","testssl.sh/81.169.166.184","443","LOW","TLSv1   x88     DHE-RSA-CAMELLIA256-SHA           DH 2048    Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA","",""
@@ -26,6 +27,7 @@
 "cipher-tls1_x33","testssl.sh/81.169.166.184","443","LOW","TLSv1   x33     DHE-RSA-AES128-SHA                DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA","",""
 "cipher-tls1_x35","testssl.sh/81.169.166.184","443","LOW","TLSv1   x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA","",""
 "cipherorder_TLSv1","testssl.sh/81.169.166.184","443","INFO","ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA","",""
+"cipher_order-tls1_1","testssl.sh/81.169.166.184","443","OK","server","",""
 "cipher-tls1_1_xc014","testssl.sh/81.169.166.184","443","LOW","TLSv1.1   xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","",""
 "cipher-tls1_1_xc013","testssl.sh/81.169.166.184","443","LOW","TLSv1.1   xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","",""
 "cipher-tls1_1_x88","testssl.sh/81.169.166.184","443","LOW","TLSv1.1   x88     DHE-RSA-CAMELLIA256-SHA           DH 2048    Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA","",""
@@ -34,6 +36,7 @@
 "cipher-tls1_1_x33","testssl.sh/81.169.166.184","443","LOW","TLSv1.1   x33     DHE-RSA-AES128-SHA                DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA","",""
 "cipher-tls1_1_x35","testssl.sh/81.169.166.184","443","LOW","TLSv1.1   x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA","",""
 "cipherorder_TLSv1_1","testssl.sh/81.169.166.184","443","INFO","ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA","",""
+"cipher_order-tls1_2","testssl.sh/81.169.166.184","443","OK","server","",""
 "cipher-tls1_2_xc030","testssl.sh/81.169.166.184","443","OK","TLSv1.2   xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","",""
 "cipher-tls1_2_xc02f","testssl.sh/81.169.166.184","443","OK","TLSv1.2   xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","",""
 "cipher-tls1_2_x9f","testssl.sh/81.169.166.184","443","OK","TLSv1.2   x9f     DHE-RSA-AES256-GCM-SHA384         DH 2048    AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384","",""
@@ -52,6 +55,7 @@
 "cipher-tls1_2_x3d","testssl.sh/81.169.166.184","443","LOW","TLSv1.2   x3d     AES256-SHA256                     RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA256","",""
 "cipher-tls1_2_x35","testssl.sh/81.169.166.184","443","LOW","TLSv1.2   x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA","",""
 "cipherorder_TLSv1_2","testssl.sh/81.169.166.184","443","INFO","ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES256-SHA","",""
+"cipher_order-tls1_3","testssl.sh/81.169.166.184","443","OK","server","",""
 "cipher-tls1_3_x1302","testssl.sh/81.169.166.184","443","OK","TLSv1.3   x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384","",""
 "cipher-tls1_3_x1303","testssl.sh/81.169.166.184","443","OK","TLSv1.3   x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256","",""
 "cipher-tls1_3_x1301","testssl.sh/81.169.166.184","443","OK","TLSv1.3   x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256","",""
diff --git a/testssl.sh b/testssl.sh
index d7b3b16..c40a586 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -4545,12 +4545,28 @@ ciphers_by_strength() {
                fi
                
                [[ $difference_rating -lt $NO_CIPHER_ORDER_LEVEL ]] && NO_CIPHER_ORDER_LEVEL=$difference_rating
+               id="cipher_order${proto}"
                case $difference_rating in
-                    5) outln " (no server order, thus listed by strength)" ;;
-                    4) prln_svrty_low " (no server order, thus listed by strength)" ;; 
-                    3) prln_svrty_medium " (no server order, thus listed by strength)" ;;
-                    2) prln_svrty_high " (no server order, thus listed by strength)" ;;
-                    1) prln_svrty_critical " (no server order, thus listed by strength)" ;;
+                    5)
+                         outln " (no server order, thus listed by strength)"
+                         fileout "$id" "INFO" "NOT a cipher order configured"
+                         ;;
+                    4)
+                         prln_svrty_low " (no server order, thus listed by strength)"
+                         fileout "$id" "LOW" "NOT a cipher order configured"
+                         ;; 
+                    3)
+                         prln_svrty_medium " (no server order, thus listed by strength)"
+                         fileout "$id" "MEDIUM" "NOT a cipher order configured"
+                         ;;
+                    2)
+                         prln_svrty_high " (no server order, thus listed by strength)"
+                         fileout "$id" "HIGH" "NOT a cipher order configured"
+                         ;;
+                    1)
+                         prln_svrty_critical " (no server order, thus listed by strength)"
+                         fileout "$id" "CRITICAL" "NOT a cipher order configured"
+                         ;;
                esac
           fi
      elif "$wide" && "$proto_supported" || [[ $proto != -ssl2 ]]; then
@@ -7448,8 +7464,10 @@ cipher_pref_check() {
      fi
      if "$prioritize_chacha"; then
           outln " (server order -- server prioritizes ChaCha ciphers when preferred by clients)"
+          fileout "cipher_order-${proto}" "OK" "server -- server prioritizes ChaCha ciphers when preferred by clients"
      elif [[ -n "$order" ]]; then
           outln " (server order)"
+          fileout "cipher_order-${proto}" "OK" "server"
      else
           outln
      fi