From 045778b2d82eb07fe8c2ee91d30b924382683295 Mon Sep 17 00:00:00 2001
From: David Cooper <david.cooper@nist.gov>
Date: Wed, 7 Sep 2022 12:45:59 -0700
Subject: [PATCH 1/2] Fix #1311
This commit fixes #1311 by only rating the lack of a server-enforced ciper order negatively if there is a difference in the quality rating of the ciphers offered for a particular protocol.
---
testssl.sh | 114 +++++++++++++++++++++++++++++++++++++++++++++++------
1 file changed, 101 insertions(+), 13 deletions(-)
diff --git a/testssl.sh b/testssl.sh
index 530a706..d7b3b16 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -268,6 +268,7 @@ NR_HEADER_FAIL=0 # .. for HTTP_GET
PROTOS_OFFERED="" # This keeps which protocol is being offered. See has_server_protocol().
TLS12_CIPHER_OFFERED="" # This contains the hexcode of a cipher known to be supported by the server with TLS 1.2
CURVES_OFFERED="" # This keeps which curves have been detected. Just for error handling
+NO_CIPHER_ORDER_LEVEL=5 # This is the finding level to report if the server does not enforce a cipher order for one or more protocol versions.
KNOWN_OSSL_PROB=false # We need OpenSSL a few times. This variable is an indicator if we can't connect. Eases handling
DETECTED_TLS_VERSION="" # .. as hex string, e.g. 0300 or 0303
APP_TRAF_KEY_INFO="" # Information about the application traffic keys for a TLS 1.3 connection.
@@ -4243,6 +4244,7 @@ ciphers_by_strength() {
local available proto_supported=false
local id
local has_dh_bits="$HAS_DH_BITS"
+ local -i quality worst_cipher=8 best_cipher=0 difference_rating=5
# for local problem if it happens
"$wide" || out " "
@@ -4505,12 +4507,51 @@ ciphers_by_strength() {
fi
if "$wide" && [[ "${FUNCNAME[1]}" == run_server_preference ]] && "$proto_supported"; then
- if [[ $proto_ossl == tls1_3 ]]; then
- outln " (no server order, thus listed by strength)"
- elif ! "$serverpref_known"; then
+ if ! "$serverpref_known"; then
outln " (listed by strength)"
else
- prln_svrty_high " (no server order, thus listed by strength)"
+ # Determine the best and worst quality level findings for the supported ciphers
+ for (( i=0 ; i<nr_ciphers; i++ )); do
+ if "${ciphers_found[i]}"; then
+ if [[ "${rfc_ciph[i]}" != - ]]; then
+ get_cipher_quality "${rfc_ciph[i]}"
+ else
+ get_cipher_quality ${ciph[i]}
+ fi
+ quality=$?
+ [[ $quality -lt $worst_cipher ]] && worst_cipher=$quality
+ [[ $quality -gt $best_cipher ]] && best_cipher=$quality
+ fi
+ done
+ # Assign a rating (severity level) based on the difference between the levels
+ # of the best and worst supported ciphers.
+ if [[ $worst_cipher -ne $best_cipher ]]; then
+ case $best_cipher in
+ 3|5|6|7)
+ difference_rating=$worst_cipher
+ [[ $difference_rating -gt 5 ]] && difference_rating=5
+ ;;
+ 4)
+ case $worst_cipher in
+ 3) difference_rating=4 ;;
+ 2) difference_rating=2 ;;
+ 1) difference_rating=1 ;;
+ esac
+ ;;
+ 2)
+ difference_rating=2
+ ;;
+ esac
+ fi
+
+ [[ $difference_rating -lt $NO_CIPHER_ORDER_LEVEL ]] && NO_CIPHER_ORDER_LEVEL=$difference_rating
+ case $difference_rating in
+ 5) outln " (no server order, thus listed by strength)" ;;
+ 4) prln_svrty_low " (no server order, thus listed by strength)" ;;
+ 3) prln_svrty_medium " (no server order, thus listed by strength)" ;;
+ 2) prln_svrty_high " (no server order, thus listed by strength)" ;;
+ 1) prln_svrty_critical " (no server order, thus listed by strength)" ;;
+ esac
fi
elif "$wide" && "$proto_supported" || [[ $proto != -ssl2 ]]; then
outln
@@ -6650,7 +6691,7 @@ run_server_preference() {
local has_cipher_order=false has_tls13_cipher_order=false
local addcmd="" addcmd2=""
local using_sockets=true
- local jsonID="cipher_order"
+ local jsonID="cipher_order" fileout_msg="" fileout_rating="" terminal_msg=""
local cwe="CWE-310"
local cve=""
@@ -6824,23 +6865,58 @@ run_server_preference() {
pr_bold " Has server cipher order? "
jsonID="cipher_order"
+ case $NO_CIPHER_ORDER_LEVEL in
+ 5) fileout_rating="INFO" ;;
+ 4) fileout_rating="LOW" ;;
+ 3) fileout_rating="MEDIUM" ;;
+ 2) fileout_rating="HIGH" ;;
+ 1) fileout_rating="CRITICAL" ;;
+ esac
if "$TLS13_ONLY" && ! "$has_tls13_cipher_order"; then
- out "no (TLS 1.3 only)"
+ terminal_msg="no (TLS 1.3 only)"
limitedsense=" (limited sense as client will pick)"
- fileout "$jsonID" "INFO" "not a cipher order for TLS 1.3 configured"
+ fileout_msg="not a cipher order for TLS 1.3 configured"
elif ! "$TLS13_ONLY" && [[ -z "$cipher2" ]]; then
pr_warning "unable to determine"
elif ! "$has_cipher_order" && ! "$has_tls13_cipher_order"; then
# server used the different ends (ciphers) from the client hello
- pr_svrty_high "no (NOT ok)"
+ terminal_msg="no (NOT ok)"
+ [[ "$fileout_rating" == INFO ]] && terminal_msg="no"
limitedsense=" (limited sense as client will pick)"
- fileout "$jsonID" "HIGH" "NOT a cipher order configured"
+ fileout_msg="NOT a cipher order configured"
elif "$has_cipher_order" && ! "$has_tls13_cipher_order" && [[ "$default_proto" == TLSv1.3 ]]; then
- pr_svrty_good "yes (OK)"; out " -- only for < TLS 1.3"
- fileout "$jsonID" "OK" "server -- TLS 1.3 client determined"
+ if [[ $NO_CIPHER_ORDER_LEVEL -eq 5 ]]; then
+ pr_svrty_good "yes (OK)"; out " -- only for < TLS 1.3"
+ fileout "$jsonID" "OK" "server -- TLS 1.3 client determined"
+ else
+ # The server does not enforce a cipher order for TLS 1.3 and it
+ # accepts some lower quality TLS 1.3 ciphers.
+ terminal_msg="only for < TLS 1.3"
+ fileout_msg="server -- TLS 1.3 client determined"
+ fi
elif ! "$has_cipher_order" && "$has_tls13_cipher_order"; then
- pr_svrty_high "no (NOT ok)"; out " -- only for TLS 1.3"
- fileout "$jsonID" "HIGH" "server -- < TLS 1.3 client determined"
+ case "$fileout_rating" in
+ "INFO")
+ out "only for TLS 1.3"
+ fileout "$jsonID" "INFO" "server -- < TLS 1.3 client determined"
+ ;;
+ "LOW")
+ pr_svrty_low "no (NOT ok)"; out " -- only for TLS 1.3"
+ fileout "$jsonID" "LOW" "server -- < TLS 1.3 client determined"
+ ;;
+ "MEDIUM")
+ pr_svrty_medium "no (NOT ok)"; out " -- only for TLS 1.3"
+ fileout "$jsonID" "MEDIUM" "server -- < TLS 1.3 client determined"
+ ;;
+ "HIGH")
+ pr_svrty_high "no (NOT ok)"; out " -- only for TLS 1.3"
+ fileout "$jsonID" "HIGH" "server -- < TLS 1.3 client determined"
+ ;;
+ "CRITICAL")
+ pr_svrty_critical "no (NOT ok)"; out " -- only for TLS 1.3"
+ fileout "$jsonID" "CRITICAL" "server -- < TLS 1.3 client determined"
+ ;;
+ esac
else
if "$has_tls13_cipher_order"; then
if "$TLS13_ONLY"; then
@@ -6857,6 +6933,17 @@ run_server_preference() {
fileout "$jsonID" "OK" "server"
fi
fi
+ if [[ -n "$fileout_msg" ]]; then
+ case "$fileout_rating" in
+ "INFO") out "$terminal_msg" ;;
+ "OK") pr_svrty_good "$terminal_msg" ;;
+ "LOW") pr_svrty_low "$terminal_msg" ;;
+ "MEDIUM") pr_svrty_medium "$terminal_msg" ;;
+ "HIGH") pr_svrty_high "$terminal_msg" ;;
+ "CRITICAL") pr_svrty_critical "$terminal_msg" ;;
+ esac
+ fileout "$jsonID" "$fileout_rating" "$fileout_msg"
+ fi
outln
pr_bold " Negotiated protocol "
@@ -23469,6 +23556,7 @@ reset_hostdepended_vars() {
PROTOS_OFFERED=""
TLS12_CIPHER_OFFERED=""
CURVES_OFFERED=""
+ NO_CIPHER_ORDER_LEVEL=5
KNOWN_OSSL_PROB=false
TLS13_ONLY=false
CLIENT_AUTH="none"
From 5c889bde0fd29113e567f77d133eb76021c88a90 Mon Sep 17 00:00:00 2001
From: David Cooper <david.cooper@nist.gov>
Date: Thu, 20 Oct 2022 12:29:12 -0700
Subject: [PATCH 2/2] Include cipher order information in file output on a per
protocol basis
This commit fileout() calls to ciphers_by_strength() and cipher_pref_check() to indicate whether or not the server enforces a cipher order for a protocol version.
---
t/baseline_data/default_testssl.csvfile | 4 ++++
testssl.sh | 28 ++++++++++++++++++++-----
2 files changed, 27 insertions(+), 5 deletions(-)
diff --git a/t/baseline_data/default_testssl.csvfile b/t/baseline_data/default_testssl.csvfile
index dbb3ba0..9598077 100644
--- a/t/baseline_data/default_testssl.csvfile
+++ b/t/baseline_data/default_testssl.csvfile
@@ -18,6 +18,7 @@
"cipherlist_AVERAGE","testssl.sh/81.169.166.184","443","LOW","offered","","CWE-310"
"cipherlist_GOOD","testssl.sh/81.169.166.184","443","OK","offered","",""
"cipherlist_STRONG","testssl.sh/81.169.166.184","443","OK","offered","",""
+"cipher_order-tls1","testssl.sh/81.169.166.184","443","OK","server","",""
"cipher-tls1_xc014","testssl.sh/81.169.166.184","443","LOW","TLSv1 xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","",""
"cipher-tls1_xc013","testssl.sh/81.169.166.184","443","LOW","TLSv1 xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","",""
"cipher-tls1_x88","testssl.sh/81.169.166.184","443","LOW","TLSv1 x88 DHE-RSA-CAMELLIA256-SHA DH 2048 Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA","",""
@@ -26,6 +27,7 @@
"cipher-tls1_x33","testssl.sh/81.169.166.184","443","LOW","TLSv1 x33 DHE-RSA-AES128-SHA DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA","",""
"cipher-tls1_x35","testssl.sh/81.169.166.184","443","LOW","TLSv1 x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA","",""
"cipherorder_TLSv1","testssl.sh/81.169.166.184","443","INFO","ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA","",""
+"cipher_order-tls1_1","testssl.sh/81.169.166.184","443","OK","server","",""
"cipher-tls1_1_xc014","testssl.sh/81.169.166.184","443","LOW","TLSv1.1 xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","",""
"cipher-tls1_1_xc013","testssl.sh/81.169.166.184","443","LOW","TLSv1.1 xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","",""
"cipher-tls1_1_x88","testssl.sh/81.169.166.184","443","LOW","TLSv1.1 x88 DHE-RSA-CAMELLIA256-SHA DH 2048 Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA","",""
@@ -34,6 +36,7 @@
"cipher-tls1_1_x33","testssl.sh/81.169.166.184","443","LOW","TLSv1.1 x33 DHE-RSA-AES128-SHA DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA","",""
"cipher-tls1_1_x35","testssl.sh/81.169.166.184","443","LOW","TLSv1.1 x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA","",""
"cipherorder_TLSv1_1","testssl.sh/81.169.166.184","443","INFO","ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA","",""
+"cipher_order-tls1_2","testssl.sh/81.169.166.184","443","OK","server","",""
"cipher-tls1_2_xc030","testssl.sh/81.169.166.184","443","OK","TLSv1.2 xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","",""
"cipher-tls1_2_xc02f","testssl.sh/81.169.166.184","443","OK","TLSv1.2 xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","",""
"cipher-tls1_2_x9f","testssl.sh/81.169.166.184","443","OK","TLSv1.2 x9f DHE-RSA-AES256-GCM-SHA384 DH 2048 AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384","",""
@@ -52,6 +55,7 @@
"cipher-tls1_2_x3d","testssl.sh/81.169.166.184","443","LOW","TLSv1.2 x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256","",""
"cipher-tls1_2_x35","testssl.sh/81.169.166.184","443","LOW","TLSv1.2 x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA","",""
"cipherorder_TLSv1_2","testssl.sh/81.169.166.184","443","INFO","ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES256-SHA","",""
+"cipher_order-tls1_3","testssl.sh/81.169.166.184","443","OK","server","",""
"cipher-tls1_3_x1302","testssl.sh/81.169.166.184","443","OK","TLSv1.3 x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384","",""
"cipher-tls1_3_x1303","testssl.sh/81.169.166.184","443","OK","TLSv1.3 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256","",""
"cipher-tls1_3_x1301","testssl.sh/81.169.166.184","443","OK","TLSv1.3 x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256","",""
diff --git a/testssl.sh b/testssl.sh
index d7b3b16..c40a586 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -4545,12 +4545,28 @@ ciphers_by_strength() {
fi
[[ $difference_rating -lt $NO_CIPHER_ORDER_LEVEL ]] && NO_CIPHER_ORDER_LEVEL=$difference_rating
+ id="cipher_order${proto}"
case $difference_rating in
- 5) outln " (no server order, thus listed by strength)" ;;
- 4) prln_svrty_low " (no server order, thus listed by strength)" ;;
- 3) prln_svrty_medium " (no server order, thus listed by strength)" ;;
- 2) prln_svrty_high " (no server order, thus listed by strength)" ;;
- 1) prln_svrty_critical " (no server order, thus listed by strength)" ;;
+ 5)
+ outln " (no server order, thus listed by strength)"
+ fileout "$id" "INFO" "NOT a cipher order configured"
+ ;;
+ 4)
+ prln_svrty_low " (no server order, thus listed by strength)"
+ fileout "$id" "LOW" "NOT a cipher order configured"
+ ;;
+ 3)
+ prln_svrty_medium " (no server order, thus listed by strength)"
+ fileout "$id" "MEDIUM" "NOT a cipher order configured"
+ ;;
+ 2)
+ prln_svrty_high " (no server order, thus listed by strength)"
+ fileout "$id" "HIGH" "NOT a cipher order configured"
+ ;;
+ 1)
+ prln_svrty_critical " (no server order, thus listed by strength)"
+ fileout "$id" "CRITICAL" "NOT a cipher order configured"
+ ;;
esac
fi
elif "$wide" && "$proto_supported" || [[ $proto != -ssl2 ]]; then
@@ -7448,8 +7464,10 @@ cipher_pref_check() {
fi
if "$prioritize_chacha"; then
outln " (server order -- server prioritizes ChaCha ciphers when preferred by clients)"
+ fileout "cipher_order-${proto}" "OK" "server -- server prioritizes ChaCha ciphers when preferred by clients"
elif [[ -n "$order" ]]; then
outln " (server order)"
+ fileout "cipher_order-${proto}" "OK" "server"
else
outln
fi