mirror of
https://github.com/drwetter/testssl.sh.git
synced 2024-12-29 12:59:44 +01:00
Merge pull request #2275 from drwetter/remove_negotiated
Remove Negotiated cipher / protocol in server preferences
This commit is contained in:
commit
827782cd58
@ -62,8 +62,6 @@
|
|||||||
"cipherorder_TLSv1_3","testssl.sh/81.169.166.184","443","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256","",""
|
"cipherorder_TLSv1_3","testssl.sh/81.169.166.184","443","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256","",""
|
||||||
"prioritize_chacha_TLSv1_3","testssl.sh/81.169.166.184","443","INFO","false","",""
|
"prioritize_chacha_TLSv1_3","testssl.sh/81.169.166.184","443","INFO","false","",""
|
||||||
"cipher_order","testssl.sh/81.169.166.184","443","OK","server","",""
|
"cipher_order","testssl.sh/81.169.166.184","443","OK","server","",""
|
||||||
"protocol_negotiated","testssl.sh/81.169.166.184","443","OK","Default protocol TLS1.3","",""
|
|
||||||
"cipher_negotiated","testssl.sh/81.169.166.184","443","OK","TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)","",""
|
|
||||||
"FS","testssl.sh/81.169.166.184","443","OK","offered","",""
|
"FS","testssl.sh/81.169.166.184","443","OK","offered","",""
|
||||||
"FS_ciphers","testssl.sh/81.169.166.184","443","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA","",""
|
"FS_ciphers","testssl.sh/81.169.166.184","443","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA","",""
|
||||||
"FS_ECDHE_curves","testssl.sh/81.169.166.184","443","OK","prime256v1 secp384r1 secp521r1 X25519 X448","",""
|
"FS_ECDHE_curves","testssl.sh/81.169.166.184","443","OK","prime256v1 secp384r1 secp521r1 X25519 X448","",""
|
||||||
|
76
testssl.sh
76
testssl.sh
@ -6912,7 +6912,7 @@ run_server_preference() {
|
|||||||
fi
|
fi
|
||||||
elif ! "$has_cipher_order" && "$has_tls13_cipher_order"; then
|
elif ! "$has_cipher_order" && "$has_tls13_cipher_order"; then
|
||||||
case "$fileout_rating" in
|
case "$fileout_rating" in
|
||||||
"INFO")
|
"INFO")
|
||||||
out "only for TLS 1.3"
|
out "only for TLS 1.3"
|
||||||
fileout "$jsonID" "INFO" "server -- < TLS 1.3 client determined"
|
fileout "$jsonID" "INFO" "server -- < TLS 1.3 client determined"
|
||||||
;;
|
;;
|
||||||
@ -6962,80 +6962,6 @@ run_server_preference() {
|
|||||||
fi
|
fi
|
||||||
outln
|
outln
|
||||||
|
|
||||||
pr_bold " Negotiated protocol "
|
|
||||||
jsonID="protocol_negotiated"
|
|
||||||
|
|
||||||
case "$default_proto" in
|
|
||||||
*TLSv1.3)
|
|
||||||
prln_svrty_best $default_proto
|
|
||||||
fileout "$jsonID" "OK" "Default protocol TLS1.3"
|
|
||||||
;;
|
|
||||||
*TLSv1.2)
|
|
||||||
prln_svrty_best $default_proto
|
|
||||||
fileout "$jsonID" "OK" "Default protocol TLS1.2"
|
|
||||||
;;
|
|
||||||
*TLSv1.1)
|
|
||||||
prln_svrty_low $default_proto
|
|
||||||
fileout "$jsonID" "LOW" "Default protocol TLS1.1"
|
|
||||||
;;
|
|
||||||
*TLSv1)
|
|
||||||
prln_svrty_low $default_proto
|
|
||||||
fileout "$jsonID" "LOW" "Default protocol TLS1.0"
|
|
||||||
;;
|
|
||||||
*SSLv2)
|
|
||||||
prln_svrty_critical $default_proto
|
|
||||||
fileout "$jsonID" "CRITICAL" "Default protocol SSLv2"
|
|
||||||
;;
|
|
||||||
*SSLv3)
|
|
||||||
prln_svrty_critical $default_proto
|
|
||||||
fileout "$jsonID" "CRITICAL" "Default protocol SSLv3"
|
|
||||||
;;
|
|
||||||
"")
|
|
||||||
pr_warning "default proto empty"
|
|
||||||
if [[ $OSSL_VER == 1.0.2* ]]; then
|
|
||||||
outln " (Hint: if IIS6 give OpenSSL 1.0.1 a try)"
|
|
||||||
fileout "$jsonID" "WARN" "Default protocol empty (Hint: if IIS6 give OpenSSL 1.0.1 a try)"
|
|
||||||
else
|
|
||||||
outln
|
|
||||||
fileout "$jsonID" "WARN" "Default protocol empty"
|
|
||||||
fi
|
|
||||||
ret=1
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
pr_warning "FIXME line $LINENO: $default_proto"
|
|
||||||
fileout "$jsonID" "WARN" "FIXME line $LINENO: $default_proto"
|
|
||||||
ret=1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
pr_bold " Negotiated cipher "
|
|
||||||
jsonID="cipher_negotiated"
|
|
||||||
pr_cipher_quality "$default_cipher"
|
|
||||||
case $? in
|
|
||||||
1) fileout "$jsonID" "CRITICAL" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense"
|
|
||||||
;;
|
|
||||||
2) fileout "$jsonID" "HIGH" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense"
|
|
||||||
;;
|
|
||||||
3) fileout "$jsonID" "MEDIUM" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense"
|
|
||||||
;;
|
|
||||||
6|7) fileout "$jsonID" "OK" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense"
|
|
||||||
;; # best ones
|
|
||||||
4) fileout "$jsonID" "LOW" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") (cbc) $limitedsense"
|
|
||||||
;; # it's CBC. --> lucky13
|
|
||||||
0) pr_warning "default cipher empty" ;
|
|
||||||
if [[ $OSSL_VER == 1.0.2* ]]; then
|
|
||||||
out " (Hint: if IIS6 give OpenSSL 1.0.1 a try)"
|
|
||||||
fileout "$jsonID" "WARN" "Default cipher empty (if IIS6 give OpenSSL 1.0.1 a try) $limitedsense"
|
|
||||||
else
|
|
||||||
fileout "$jsonID" "WARN" "Default cipher empty $limitedsense"
|
|
||||||
fi
|
|
||||||
ret=1
|
|
||||||
;;
|
|
||||||
*) fileout "$jsonID" "INFO" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
[[ -n "$default_cipher" ]] && read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt"
|
|
||||||
|
|
||||||
if [[ "$cipher0" != $cipher1 ]]; then
|
if [[ "$cipher0" != $cipher1 ]]; then
|
||||||
pr_warning " -- inconclusive test, matching cipher in list missing"
|
pr_warning " -- inconclusive test, matching cipher in list missing"
|
||||||
outln ", better see above"
|
outln ", better see above"
|
||||||
|
Loading…
Reference in New Issue
Block a user