Merge pull request #2275 from drwetter/remove_negotiated

Remove Negotiated cipher / protocol in server preferences
This commit is contained in:
Dirk Wetter 2022-11-15 09:28:38 +01:00 committed by GitHub
commit 827782cd58
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 1 additions and 77 deletions

View File

@ -62,8 +62,6 @@
"cipherorder_TLSv1_3","testssl.sh/81.169.166.184","443","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256","",""
"prioritize_chacha_TLSv1_3","testssl.sh/81.169.166.184","443","INFO","false","",""
"cipher_order","testssl.sh/81.169.166.184","443","OK","server","",""
"protocol_negotiated","testssl.sh/81.169.166.184","443","OK","Default protocol TLS1.3","",""
"cipher_negotiated","testssl.sh/81.169.166.184","443","OK","TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)","",""
"FS","testssl.sh/81.169.166.184","443","OK","offered","",""
"FS_ciphers","testssl.sh/81.169.166.184","443","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA","",""
"FS_ECDHE_curves","testssl.sh/81.169.166.184","443","OK","prime256v1 secp384r1 secp521r1 X25519 X448","",""

View File

@ -6962,80 +6962,6 @@ run_server_preference() {
fi
outln
pr_bold " Negotiated protocol "
jsonID="protocol_negotiated"
case "$default_proto" in
*TLSv1.3)
prln_svrty_best $default_proto
fileout "$jsonID" "OK" "Default protocol TLS1.3"
;;
*TLSv1.2)
prln_svrty_best $default_proto
fileout "$jsonID" "OK" "Default protocol TLS1.2"
;;
*TLSv1.1)
prln_svrty_low $default_proto
fileout "$jsonID" "LOW" "Default protocol TLS1.1"
;;
*TLSv1)
prln_svrty_low $default_proto
fileout "$jsonID" "LOW" "Default protocol TLS1.0"
;;
*SSLv2)
prln_svrty_critical $default_proto
fileout "$jsonID" "CRITICAL" "Default protocol SSLv2"
;;
*SSLv3)
prln_svrty_critical $default_proto
fileout "$jsonID" "CRITICAL" "Default protocol SSLv3"
;;
"")
pr_warning "default proto empty"
if [[ $OSSL_VER == 1.0.2* ]]; then
outln " (Hint: if IIS6 give OpenSSL 1.0.1 a try)"
fileout "$jsonID" "WARN" "Default protocol empty (Hint: if IIS6 give OpenSSL 1.0.1 a try)"
else
outln
fileout "$jsonID" "WARN" "Default protocol empty"
fi
ret=1
;;
*)
pr_warning "FIXME line $LINENO: $default_proto"
fileout "$jsonID" "WARN" "FIXME line $LINENO: $default_proto"
ret=1
;;
esac
pr_bold " Negotiated cipher "
jsonID="cipher_negotiated"
pr_cipher_quality "$default_cipher"
case $? in
1) fileout "$jsonID" "CRITICAL" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense"
;;
2) fileout "$jsonID" "HIGH" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense"
;;
3) fileout "$jsonID" "MEDIUM" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense"
;;
6|7) fileout "$jsonID" "OK" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense"
;; # best ones
4) fileout "$jsonID" "LOW" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") (cbc) $limitedsense"
;; # it's CBC. --> lucky13
0) pr_warning "default cipher empty" ;
if [[ $OSSL_VER == 1.0.2* ]]; then
out " (Hint: if IIS6 give OpenSSL 1.0.1 a try)"
fileout "$jsonID" "WARN" "Default cipher empty (if IIS6 give OpenSSL 1.0.1 a try) $limitedsense"
else
fileout "$jsonID" "WARN" "Default cipher empty $limitedsense"
fi
ret=1
;;
*) fileout "$jsonID" "INFO" "$default_cipher$(read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt" "string") $limitedsense"
;;
esac
[[ -n "$default_cipher" ]] && read_dhbits_from_file "$TEMPDIR/$NODEIP.run_server_preference.txt"
if [[ "$cipher0" != $cipher1 ]]; then
pr_warning " -- inconclusive test, matching cipher in list missing"
outln ", better see above"