Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-31 22:05:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2275 from drwetter/remove_negotiated

Browse Source 
Remove Negotiated cipher / protocol in server preferences
This commit is contained in:
Dirk Wetter
2022-11-15 09:28:38 +01:00
committed by GitHub
parent 0dac50c830 e918a2c31f
commit 827782cd58
2 changed files with 1 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
t/baseline_data/default_testssl.csvfile
View File

@@ -62,8 +62,6 @@
"cipherorder_TLSv1_3","testssl.sh/81.169.166.184","443","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256","","" "cipherorder_TLSv1_3","testssl.sh/81.169.166.184","443","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256","",""
"prioritize_chacha_TLSv1_3","testssl.sh/81.169.166.184","443","INFO","false","","" "prioritize_chacha_TLSv1_3","testssl.sh/81.169.166.184","443","INFO","false","",""
"cipher_order","testssl.sh/81.169.166.184","443","OK","server","","" "cipher_order","testssl.sh/81.169.166.184","443","OK","server","",""
"protocol_negotiated","testssl.sh/81.169.166.184","443","OK","Default protocol TLS1.3","",""
"cipher_negotiated","testssl.sh/81.169.166.184","443","OK","TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)","",""
"FS","testssl.sh/81.169.166.184","443","OK","offered","","" "FS","testssl.sh/81.169.166.184","443","OK","offered","",""
"FS_ciphers","testssl.sh/81.169.166.184","443","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA","","" "FS_ciphers","testssl.sh/81.169.166.184","443","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA","",""
"FS_ECDHE_curves","testssl.sh/81.169.166.184","443","OK","prime256v1 secp384r1 secp521r1 X25519 X448","","" "FS_ECDHE_curves","testssl.sh/81.169.166.184","443","OK","prime256v1 secp384r1 secp521r1 X25519 X448","",""

76
testssl.sh
View File

@@ -6912,7 +6912,7 @@ run_server_preference() {
fi fi
elif ! "$has_cipher_order" && "$has_tls13_cipher_order"; then elif ! "$has_cipher_order" && "$has_tls13_cipher_order"; then
case "$fileout_rating" in case "$fileout_rating" in
"INFO") "INFO")
out "only for TLS 1.3" out "only for TLS 1.3"
fileout "$jsonID" "INFO" "server -- < TLS 1.3 client determined" fileout "$jsonID" "INFO" "server -- < TLS 1.3 client determined"
;; ;;
@@ -6962,80 +6962,6 @@ run_server_preference() {
fi fi
outln outln
pr_bold " Negotiated protocol "
jsonID="protocol_negotiated"
case "$default_proto" in
*TLSv1.3)
prln_svrty_best $default_proto
fileout "$jsonID" "OK" "Default protocol TLS1.3"
;;
*TLSv1.2)
prln_svrty_best $default_proto
fileout "$jsonID" "OK" "Default protocol TLS1.2"
;;
*TLSv1.1)
prln_svrty_low $default_proto
fileout "$jsonID" "LOW" "Default protocol TLS1.1"
;;
*TLSv1)
prln_svrty_low $default_proto
fileout "$jsonID" "LOW" "Default protocol TLS1.0"
;;
*SSLv2)
prln_svrty_critical $default_proto
fileout "$jsonID" "CRITICAL" "Default protocol SSLv2"
;;
*SSLv3)
prln_svrty_critical $default_proto
fileout "$jsonID" "CRITICAL" "Default protocol SSLv3"
;;
"")
pr_warning "default proto empty"
if [[ $OSSL_VER == 1.0.2* ]]; then
outln " (Hint: if IIS6 give OpenSSL 1.0.1 a try)"
fileout "$jsonID" "WARN" "Default protocol empty (Hint: if IIS6 give OpenSSL 1.0.1 a try)"
else
outln
fileout "$jsonID" "WARN" "Default protocol empty"
fi
ret=1
;;
*)
pr_warning "FIXME line $LINENO: $default_proto"
fileout "$jsonID" "WARN" "FIXME line $LINENO: $default_proto"
ret=1
;;
esac
pr_bold " Negotiated cipher "
jsonID="cipher_negotiated"
pr_cipher_quality "$default_cipher"
case $? in
1) fileout "$jsonID" "CRITICAL" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense"
;;
2) fileout "$jsonID" "HIGH" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense"
;;
3) fileout "$jsonID" "MEDIUM" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense"
;;
6|7) fileout "$jsonID" "OK" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense"
;; # best ones
4) fileout "$jsonID" "LOW" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") (cbc) $limitedsense"
;; # it's CBC. --> lucky13
0) pr_warning "default cipher empty" ;
if [[ $OSSL_VER == 1.0.2* ]]; then
out " (Hint: if IIS6 give OpenSSL 1.0.1 a try)"
fileout "$jsonID" "WARN" "Default cipher empty (if IIS6 give OpenSSL 1.0.1 a try) $limitedsense"
else
fileout "$jsonID" "WARN" "Default cipher empty $limitedsense"
fi
ret=1
;;
*) fileout "$jsonID" "INFO" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense"
;;
esac
[[ -n "$default_cipher" ]] && read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt"
if [[ "$cipher0" != $cipher1 ]]; then if [[ "$cipher0" != $cipher1 ]]; then
pr_warning " -- inconclusive test, matching cipher in list missing" pr_warning " -- inconclusive test, matching cipher in list missing"
outln ", better see above" outln ", better see above"