From 1842b9eefb1869e0e6b18bba4b61c2dee49a67c1 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Mon, 14 Nov 2022 17:23:13 +0100 Subject: [PATCH 1/2] Remove Negotiated cipher / protocol in server preferences As a first cleanup action I removed in run_server_preference() the line with Negotiated Protocol and Negotiated Cipher as the don't have any real information, see #2235 , comment below: https://github.com/drwetter/testssl.sh/pull/2235 --- testssl.sh | 76 +----------------------------------------------------- 1 file changed, 1 insertion(+), 75 deletions(-) diff --git a/testssl.sh b/testssl.sh index eac2328..1f5852a 100755 --- a/testssl.sh +++ b/testssl.sh @@ -6912,7 +6912,7 @@ run_server_preference() { fi elif ! "$has_cipher_order" && "$has_tls13_cipher_order"; then case "$fileout_rating" in - "INFO") + "INFO") out "only for TLS 1.3" fileout "$jsonID" "INFO" "server -- < TLS 1.3 client determined" ;; @@ -6962,80 +6962,6 @@ run_server_preference() { fi outln - pr_bold " Negotiated protocol " - jsonID="protocol_negotiated" - - case "$default_proto" in - *TLSv1.3) - prln_svrty_best $default_proto - fileout "$jsonID" "OK" "Default protocol TLS1.3" - ;; - *TLSv1.2) - prln_svrty_best $default_proto - fileout "$jsonID" "OK" "Default protocol TLS1.2" - ;; - *TLSv1.1) - prln_svrty_low $default_proto - fileout "$jsonID" "LOW" "Default protocol TLS1.1" - ;; - *TLSv1) - prln_svrty_low $default_proto - fileout "$jsonID" "LOW" "Default protocol TLS1.0" - ;; - *SSLv2) - prln_svrty_critical $default_proto - fileout "$jsonID" "CRITICAL" "Default protocol SSLv2" - ;; - *SSLv3) - prln_svrty_critical $default_proto - fileout "$jsonID" "CRITICAL" "Default protocol SSLv3" - ;; - "") - pr_warning "default proto empty" - if [[ $OSSL_VER == 1.0.2* ]]; then - outln " (Hint: if IIS6 give OpenSSL 1.0.1 a try)" - fileout "$jsonID" "WARN" "Default protocol empty (Hint: if IIS6 give OpenSSL 1.0.1 a try)" - else - outln - fileout "$jsonID" "WARN" "Default protocol empty" - fi - ret=1 - ;; - *) - pr_warning "FIXME line $LINENO: $default_proto" - fileout "$jsonID" "WARN" "FIXME line $LINENO: $default_proto" - ret=1 - ;; - esac - - pr_bold " Negotiated cipher " - jsonID="cipher_negotiated" - pr_cipher_quality "$default_cipher" - case $? in - 1) fileout "$jsonID" "CRITICAL" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense" - ;; - 2) fileout "$jsonID" "HIGH" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense" - ;; - 3) fileout "$jsonID" "MEDIUM" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense" - ;; - 6|7) fileout "$jsonID" "OK" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense" - ;; # best ones - 4) fileout "$jsonID" "LOW" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") (cbc) $limitedsense" - ;; # it's CBC. --> lucky13 - 0) pr_warning "default cipher empty" ; - if [[ $OSSL_VER == 1.0.2* ]]; then - out " (Hint: if IIS6 give OpenSSL 1.0.1 a try)" - fileout "$jsonID" "WARN" "Default cipher empty (if IIS6 give OpenSSL 1.0.1 a try) $limitedsense" - else - fileout "$jsonID" "WARN" "Default cipher empty $limitedsense" - fi - ret=1 - ;; - *) fileout "$jsonID" "INFO" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense" - ;; - esac - [[ -n "$default_cipher" ]] && read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" - if [[ "$cipher0" != $cipher1 ]]; then pr_warning " -- inconclusive test, matching cipher in list missing" outln ", better see above" From e918a2c31f9ff1dbffd9b8cffb36f88e41dbc36b Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Mon, 14 Nov 2022 20:25:56 +0100 Subject: [PATCH 2/2] remove negotiated cipher / protocol also in baseline file --- t/baseline_data/default_testssl.csvfile | 2 -- 1 file changed, 2 deletions(-) diff --git a/t/baseline_data/default_testssl.csvfile b/t/baseline_data/default_testssl.csvfile index 9598077..7a698fc 100644 --- a/t/baseline_data/default_testssl.csvfile +++ b/t/baseline_data/default_testssl.csvfile @@ -62,8 +62,6 @@ "cipherorder_TLSv1_3","testssl.sh/81.169.166.184","443","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256","","" "prioritize_chacha_TLSv1_3","testssl.sh/81.169.166.184","443","INFO","false","","" "cipher_order","testssl.sh/81.169.166.184","443","OK","server","","" -"protocol_negotiated","testssl.sh/81.169.166.184","443","OK","Default protocol TLS1.3","","" -"cipher_negotiated","testssl.sh/81.169.166.184","443","OK","TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)","","" "FS","testssl.sh/81.169.166.184","443","OK","offered","","" "FS_ciphers","testssl.sh/81.169.166.184","443","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA","","" "FS_ECDHE_curves","testssl.sh/81.169.166.184","443","OK","prime256v1 secp384r1 secp521r1 X25519 X448","",""