From cc256131380e64f76fa639569dca2cca2aaccd1c Mon Sep 17 00:00:00 2001 From: Magnus Larsen Date: Sat, 6 Nov 2021 08:45:55 +0100 Subject: [PATCH] [Rating] Fix cipher strength rating, and add penalty for weak cipher suites --- testssl.sh | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/testssl.sh b/testssl.sh index b3fe009..c166b88 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1116,6 +1116,9 @@ set_ciph_str_score() { [[ $size -gt $CIPH_STR_BEST ]] && let CIPH_STR_BEST=$size [[ $size -lt $CIPH_STR_WORST ]] && let CIPH_STR_WORST=$size + + [[ $size -lt 112 || $size == "None" ]] && set_grade_cap "F" "Using cipher suites weaker than 112 bits" + return 0 } @@ -6855,7 +6858,7 @@ check_tls12_pref() { done ciphers_to_test="$non_chacha20_ciphers$chacha20_ciphers" ciphers_to_test="${ciphers_to_test%:}" - + while true; do $OPENSSL s_client $(s_client_options "$STARTTLS -tls1_2 $BUGS -cipher "$ciphers_to_test$tested_cipher" -connect $NODEIP:$PORT $PROXY $SNI") >$ERRFILE >$TMPFILE if sclient_connect_successful $? $TMPFILE ; then @@ -10071,7 +10074,7 @@ run_server_defaults() { done <<< "$CLIENT_AUTH_CA_LIST" fi fi - + if [[ -n "$SNI" ]] && [[ $certs_found -ne 0 ]] && [[ ! -e $HOSTCERT.nosni ]]; then # no cipher suites specified here. We just want the default vhost subject @@ -20791,7 +20794,7 @@ sclient_auth() { local re='Master-Key: ([^\ ]*)' local connect_success=false - + [[ $1 -eq 0 ]] && connect_success=true ! "$connect_success" && [[ "$server_hello" =~ $re ]] && \ [[ -n "${BASH_REMATCH[1]}" ]] && connect_success=true @@ -20809,7 +20812,7 @@ sclient_auth() { [[ $1 -eq 0 ]] && return 0 if [[ ! "$server_hello" =~ Session-ID:\ [a-fA-F0-9]{2,64} ]]; then # probably no SSL session # do another sanity check to be sure - if [[ "$server_hello" =~ \-\-\-BEGIN\ CERTIFICATE\-\-\-.*\-\-\-END\ CERTIFICATE\-\-\- ]]; then + if [[ "$server_hello" =~ \-\-\-BEGIN\ CERTIFICATE\-\-\-.*\-\-\-END\ CERTIFICATE\-\-\- ]]; then CLIENT_AUTH="none" NO_SSL_SESSIONID=true # NO_SSL_SESSIONID is preset globally to false for all other cases return 0 @@ -21169,7 +21172,7 @@ determine_service() { else # If the XMPP name cannot be provided using -xmpphost, # then it needs to be provided to the -connect option - NODEIP="$NODE" + NODEIP="$NODE" fi fi if [[ "$protocol" == xmpp-server ]] && ! "$HAS_XMPP_SERVER"; then @@ -21453,7 +21456,7 @@ create_mass_testing_cmdline() { MASS_TESTING_CMDLINE[nr_cmds]="--htmlfile-parent=$outfile_arg" # next is the filename itself, as no '=' was supplied [[ "$cmd" == --htmlfile ]] && skip_next=true - [[ "$cmd" == -oH ]] && skip_next=true + [[ "$cmd" == -oH ]] && skip_next=true elif ( [[ "$cmd" =~ --logfile ]] || [[ "$cmd" =~ -oL ]] ); then outfile_arg="$(parse_opt_equal_sign "$cmd" "${CMDLINE_ARRAY[i+1]}")" MASS_TESTING_CMDLINE[nr_cmds]="--logfile-parent=$outfile_arg" @@ -22001,7 +22004,7 @@ run_rating() { # Determine the score for the worst key if [[ $c3_worst_cb -gt 0 && $c3_worst_cb -lt 128 ]]; then c3_worst=20 - elif [[ $c3_worst_cb -lt 256 ]]; then + elif [[ $c3_worst_cb -ge 128 && $c3_worst_cb -lt 256 ]]; then c3_worst=80 elif [[ $c3_worst_cb -ge 256 ]]; then c3_worst=100