mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 17:20:57 +01:00
Printing Negotiated cipher
`run_server_preference()` prints out the server's Negotiated cipher in a different color depending on the quality of the cipher. However, there is a "FIXME" since CBC ciphers are supposed to be flagged, but it is not easy to identity all CBC ciphers from their OpenSSL names. This PR partially addresses this. It creates a separate function for printing a cipher based on its quality. Whenever possible it determines the quality of the cipher based on the RFC name. However, if it is provided an OpenSSL name and no cipher-mapping.txt file is available, it will follow the current (imperfect) logic for determining the cipher's quality. The function also returns a value that indicates the quality of the cipher provided, with higher numbers indicating better ciphers. This return value is used by `run_server_preference()` to determine how to populate the "severity" field when calling `fileout()`.
This commit is contained in:
parent
d2cbbaf0b1
commit
a26425af71
97
testssl.sh
97
testssl.sh
@ -4660,6 +4660,80 @@ pr_ecdh_curve_quality() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Print $2 based on the quality of the cipher in $1. If $2 is empty, print $1.
|
||||||
|
# The return value is an indicator of the quality of the cipher in $1:
|
||||||
|
# 0 = $1 is empty
|
||||||
|
# 1 = pr_svrty_critical, 2 = pr_svrty_high, 3 = pr_svrty_medium, 4 = pr_svrty_low
|
||||||
|
# 5 = neither good nor bad, 6 = pr_done_good, 7 = pr_done_best
|
||||||
|
pr_cipher_quality() {
|
||||||
|
local cipher="$1"
|
||||||
|
local text="$2"
|
||||||
|
|
||||||
|
[[ -z "$1" ]] && return 0
|
||||||
|
[[ -z "$text" ]] && text="$cipher"
|
||||||
|
|
||||||
|
if [[ "$cipher" != TLS_* ]] && [[ "$cipher" != SSL_* ]]; then
|
||||||
|
# This must be the OpenSSL name for a cipher
|
||||||
|
if [[ $TLS_NR_CIPHERS -eq 0 ]]; then
|
||||||
|
# We have the OpenSSL name and can't convert it to the RFC name
|
||||||
|
case "$cipher" in
|
||||||
|
*NULL*|*EXP*)
|
||||||
|
pr_svrty_critical "$text"
|
||||||
|
return 1
|
||||||
|
;;
|
||||||
|
*RC4*)
|
||||||
|
pr_svrty_high "$text"
|
||||||
|
return 2
|
||||||
|
;;
|
||||||
|
*CBC*)
|
||||||
|
pr_svrty_medium "$text"
|
||||||
|
return 3
|
||||||
|
;; # FIXME BEAST: We miss some CBC ciphers here, need to work w/ a list
|
||||||
|
*GCM*|*CHACHA20*)
|
||||||
|
pr_done_best "$text"
|
||||||
|
return 7
|
||||||
|
;; #best ones
|
||||||
|
ECDHE*AES*)
|
||||||
|
pr_svrty_low "$text"
|
||||||
|
return 4
|
||||||
|
;; # it's CBC. --> lucky13
|
||||||
|
*)
|
||||||
|
out "$text"
|
||||||
|
return 5
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
cipher="$(openssl2rfc "$cipher")"
|
||||||
|
fi
|
||||||
|
|
||||||
|
case "$cipher" in
|
||||||
|
*NULL*|*EXP*|*RC2*|*_DES_*|*_DES40_*)
|
||||||
|
pr_svrty_critical "$text"
|
||||||
|
return 1
|
||||||
|
;;
|
||||||
|
*RC4*)
|
||||||
|
pr_svrty_high "$text"
|
||||||
|
return 2
|
||||||
|
;;
|
||||||
|
*ECDHE*AES*CBC*)
|
||||||
|
pr_svrty_low "$text"
|
||||||
|
return 4
|
||||||
|
;;
|
||||||
|
*CBC*)
|
||||||
|
pr_svrty_medium "$text"
|
||||||
|
return 3
|
||||||
|
;;
|
||||||
|
*GCM*|*CHACHA20*)
|
||||||
|
pr_done_best "$text"
|
||||||
|
return 7
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
out "$text"
|
||||||
|
return 5
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
# arg1: file with input for grepping the bit length for ECDH/DHE
|
# arg1: file with input for grepping the bit length for ECDH/DHE
|
||||||
# arg2: whether to print warning "old fart" or not (empty: no)
|
# arg2: whether to print warning "old fart" or not (empty: no)
|
||||||
read_dhbits_from_file() {
|
read_dhbits_from_file() {
|
||||||
@ -4876,28 +4950,24 @@ run_server_preference() {
|
|||||||
default_cipher="$(openssl2rfc "$default_cipher_ossl")"
|
default_cipher="$(openssl2rfc "$default_cipher_ossl")"
|
||||||
[[ -z "$default_cipher" ]] && default_cipher="$default_cipher_ossl"
|
[[ -z "$default_cipher" ]] && default_cipher="$default_cipher_ossl"
|
||||||
fi
|
fi
|
||||||
case "$default_cipher_ossl" in
|
pr_cipher_quality "$default_cipher"
|
||||||
*NULL*|*EXP*)
|
case $? in
|
||||||
pr_svrty_critical "$default_cipher"
|
1)
|
||||||
fileout "order_cipher" "CRITICAL" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") $remark4default_cipher"
|
fileout "order_cipher" "CRITICAL" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") $remark4default_cipher"
|
||||||
;;
|
;;
|
||||||
*RC4*)
|
2)
|
||||||
pr_svrty_high "$default_cipher"
|
|
||||||
fileout "order_cipher" "HIGH" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") $remark4default_cipher"
|
fileout "order_cipher" "HIGH" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") $remark4default_cipher"
|
||||||
;;
|
;;
|
||||||
*CBC*)
|
3)
|
||||||
pr_svrty_medium "$default_cipher"
|
|
||||||
fileout "order_cipher" "MEDIUM" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") $remark4default_cipher"
|
fileout "order_cipher" "MEDIUM" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") $remark4default_cipher"
|
||||||
;; # FIXME BEAST: We miss some CBC ciphers here, need to work w/ a list
|
;;
|
||||||
*GCM*|*CHACHA20*)
|
6|7)
|
||||||
pr_done_best "$default_cipher"
|
|
||||||
fileout "order_cipher" "OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") $remark4default_cipher"
|
fileout "order_cipher" "OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") $remark4default_cipher"
|
||||||
;; # best ones
|
;; # best ones
|
||||||
ECDHE*AES*)
|
4)
|
||||||
pr_svrty_low "$default_cipher"
|
|
||||||
fileout "order_cipher" "LOW" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (cbc) $remark4default_cipher"
|
fileout "order_cipher" "LOW" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (cbc) $remark4default_cipher"
|
||||||
;; # it's CBC. --> lucky13
|
;; # it's CBC. --> lucky13
|
||||||
"")
|
0)
|
||||||
pr_warning "default cipher empty" ;
|
pr_warning "default cipher empty" ;
|
||||||
if [[ $OSSL_VER == 1.0.2* ]]; then
|
if [[ $OSSL_VER == 1.0.2* ]]; then
|
||||||
out " (Hint: if IIS6 give OpenSSL 1.0.1 a try)"
|
out " (Hint: if IIS6 give OpenSSL 1.0.1 a try)"
|
||||||
@ -4907,7 +4977,6 @@ run_server_preference() {
|
|||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
out "$default_cipher"
|
|
||||||
fileout "order_cipher" "INFO" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") $remark4default_cipher"
|
fileout "order_cipher" "INFO" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") $remark4default_cipher"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
Loading…
Reference in New Issue
Block a user