Less aggresive TLS_FALLBACK_SCVS checks

This commit is contained in:
Magnus Larsen 2020-04-17 15:31:29 +02:00
parent d9f2ca80d6
commit b4ad0d2425

View File

@ -16183,7 +16183,6 @@ run_tls_fallback_scsv() {
if [[ "$OPTIMAL_PROTO" == -ssl2 ]]; then if [[ "$OPTIMAL_PROTO" == -ssl2 ]]; then
prln_svrty_critical "No fallback possible, SSLv2 is the only protocol" prln_svrty_critical "No fallback possible, SSLv2 is the only protocol"
fileout "$jsonID" "CRITICAL" "SSLv2 is the only protocol" fileout "$jsonID" "CRITICAL" "SSLv2 is the only protocol"
set_grade_cap "A" "Does not support TLS_FALLBACK_SCSV"
return 0 return 0
fi fi
for p in tls1_2 tls1_1 tls1 ssl3; do for p in tls1_2 tls1_1 tls1 ssl3; do
@ -16212,7 +16211,6 @@ run_tls_fallback_scsv() {
"ssl3") "ssl3")
prln_svrty_high "No fallback possible, SSLv3 is the only protocol" prln_svrty_high "No fallback possible, SSLv3 is the only protocol"
fileout "$jsonID" "HIGH" "only SSLv3 supported" fileout "$jsonID" "HIGH" "only SSLv3 supported"
set_grade_cap "A" "Does not support TLS_FALLBACK_SCSV"
return 0 return 0
;; ;;
*) if [[ $(has_server_protocol tls1_3) -eq 0 ]]; then *) if [[ $(has_server_protocol tls1_3) -eq 0 ]]; then
@ -16220,7 +16218,6 @@ run_tls_fallback_scsv() {
# then assume it does not support SSLv3, even if SSLv3 cannot be tested. # then assume it does not support SSLv3, even if SSLv3 cannot be tested.
pr_svrty_good "No fallback possible (OK)"; outln ", TLS 1.3 is the only protocol" pr_svrty_good "No fallback possible (OK)"; outln ", TLS 1.3 is the only protocol"
fileout "$jsonID" "OK" "only TLS 1.3 supported" fileout "$jsonID" "OK" "only TLS 1.3 supported"
set_grade_cap "A" "Does not support TLS_FALLBACK_SCSV"
elif [[ $(has_server_protocol tls1_3) -eq 1 ]] && \ elif [[ $(has_server_protocol tls1_3) -eq 1 ]] && \
( [[ $(has_server_protocol ssl3) -eq 1 ]] || "$HAS_SSL3" ); then ( [[ $(has_server_protocol ssl3) -eq 1 ]] || "$HAS_SSL3" ); then
# TLS 1.3, TLS 1.2, TLS 1.1, TLS 1, and SSLv3 are all not supported. # TLS 1.3, TLS 1.2, TLS 1.1, TLS 1, and SSLv3 are all not supported.
@ -16234,7 +16231,6 @@ run_tls_fallback_scsv() {
# it is very likely that SSLv3 is the only supported protocol. # it is very likely that SSLv3 is the only supported protocol.
pr_svrty_high "NOT ok, no fallback possible"; outln ", TLS 1.3, 1.2, 1.1 and 1.0 not supported" pr_svrty_high "NOT ok, no fallback possible"; outln ", TLS 1.3, 1.2, 1.1 and 1.0 not supported"
fileout "$jsonID" "HIGH" "TLS 1.3, 1.2, 1.1, 1.0 not supported" fileout "$jsonID" "HIGH" "TLS 1.3, 1.2, 1.1, 1.0 not supported"
set_grade_cap "A" "Does not support TLS_FALLBACK_SCSV"
else else
# TLS 1.2, TLS 1.1, and TLS 1 are not supported, but can't tell whether TLS 1.3 is supported. # TLS 1.2, TLS 1.1, and TLS 1 are not supported, but can't tell whether TLS 1.3 is supported.
# This could be a TLS 1.3 only server, an SSLv3 only server (if SSLv3 support cannot be tested), # This could be a TLS 1.3 only server, an SSLv3 only server (if SSLv3 support cannot be tested),
@ -16242,7 +16238,6 @@ run_tls_fallback_scsv() {
# since this could either be good or bad. # since this could either be good or bad.
outln "No fallback possible, TLS 1.2, TLS 1.1, and TLS 1 not supported" outln "No fallback possible, TLS 1.2, TLS 1.1, and TLS 1 not supported"
fileout "$jsonID" "INFO" "TLS 1.2, TLS 1.1, and TLS 1 not supported" fileout "$jsonID" "INFO" "TLS 1.2, TLS 1.1, and TLS 1 not supported"
set_grade_cap "A" "Does not support TLS_FALLBACK_SCSV"
fi fi
return 0 return 0
esac esac
@ -16287,7 +16282,6 @@ run_tls_fallback_scsv() {
;; ;;
esac esac
fileout "$jsonID" "OK" "no protocol below $high_proto_str offered" fileout "$jsonID" "OK" "no protocol below $high_proto_str offered"
set_grade_cap "A" "Does not support TLS_FALLBACK_SCSV"
return 0 return 0
fi fi
case "$low_proto" in case "$low_proto" in