2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-21 22:13:40 +01:00

analyze.py: Fix intermediate configuration detection

Use the openssl_ciphers key instead of openssl_ciphersuites
since we compare against ciphers being used. Remove hardcoded
assumptions about TLS 1.1 and AES being required. Use the
server_preferred_order key instead of assuming server order
for ciphers.
This commit is contained in:
Paul Spangler 2019-10-28 15:28:15 -05:00
parent ff8eac48c3
commit 0c6f41ddc6
No known key found for this signature in database
GPG Key ID: 3FE138BDF7F62160

View File

@ -63,7 +63,7 @@ def is_fubar(results):
pubkey_bits = int(conn['pubkey'][0]) pubkey_bits = int(conn['pubkey'][0])
ec_kex = re.match(r"(ECDHE|EECDH|ECDH)-", conn['cipher']) ec_kex = re.match(r"(ECDHE|EECDH|ECDH)-", conn['cipher'])
if conn['cipher'] not in (set(old["openssl_ciphersuites"]) | set(inter["openssl_ciphersuites"]) | set(modern["openssl_ciphersuites"])): if conn['cipher'] not in (set(old["openssl_ciphers"]) | set(inter["openssl_ciphers"]) | set(modern["openssl_ciphers"])):
failures[lvl].append("remove cipher " + conn['cipher']) failures[lvl].append("remove cipher " + conn['cipher'])
logging.debug(conn['cipher'] + ' is in the list of fubar ciphers') logging.debug(conn['cipher'] + ' is in the list of fubar ciphers')
fubar = True fubar = True
@ -121,7 +121,7 @@ def is_old(results):
for conn in results['ciphersuite']: for conn in results['ciphersuite']:
logging.debug('testing connection %s' % conn) logging.debug('testing connection %s' % conn)
# flag unwanted ciphers # flag unwanted ciphers
if conn['cipher'] not in old["openssl_ciphersuites"]: if conn['cipher'] not in old["openssl_ciphers"]:
logging.debug(conn['cipher'] + ' is not in the list of old ciphers') logging.debug(conn['cipher'] + ' is not in the list of old ciphers')
failures[lvl].append("remove cipher " + conn['cipher']) failures[lvl].append("remove cipher " + conn['cipher'])
isold = False isold = False
@ -165,8 +165,9 @@ def is_old(results):
isold = False isold = False
if not has_ocsp: if not has_ocsp:
failures[lvl].append("consider enabling OCSP Stapling") failures[lvl].append("consider enabling OCSP Stapling")
if results['serverside'] != 'True': if results['serverside'] != ('True' if old['server_preferred_order'] else 'False'):
failures[lvl].append("enforce server side ordering") failures[lvl].append("enforce server side ordering" if old['server_preferred_order'] else "enforce client side ordering")
isold = False
return isold return isold
# is_intermediate is similar to is_old but for intermediate configuration from # is_intermediate is similar to is_old but for intermediate configuration from
@ -176,19 +177,16 @@ def is_intermediate(results):
lvl = 'intermediate' lvl = 'intermediate'
isinter = True isinter = True
has_tls1 = False has_tls1 = False
has_aes = False
has_pfs = True has_pfs = True
has_sigalg = True has_sigalg = True
has_ocsp = True has_ocsp = True
all_proto = [] all_proto = []
for conn in results['ciphersuite']: for conn in results['ciphersuite']:
logging.debug('testing connection %s' % conn) logging.debug('testing connection %s' % conn)
if conn['cipher'] not in inter["openssl_ciphersuites"]: if conn['cipher'] not in inter["openssl_ciphers"]:
logging.debug(conn['cipher'] + ' is not in the list of intermediate ciphers') logging.debug(conn['cipher'] + ' is not in the list of intermediate ciphers')
failures[lvl].append("remove cipher " + conn['cipher']) failures[lvl].append("remove cipher " + conn['cipher'])
isinter = False isinter = False
if conn['cipher'] == 'AES128-SHA':
has_aes = True
for proto in conn['protocols']: for proto in conn['protocols']:
if proto not in all_proto: if proto not in all_proto:
all_proto.append(proto) all_proto.append(proto)
@ -198,7 +196,7 @@ def is_intermediate(results):
logging.debug(conn['sigalg'][0] + ' is a not an intermediate signature') logging.debug(conn['sigalg'][0] + ' is a not an intermediate signature')
has_sigalg = False has_sigalg = False
if conn['pfs'] != 'None': if conn['pfs'] != 'None':
if not has_good_pfs(conn['pfs'], inter["dh_param_size"], inter["ecdh_param_size"], True): if not has_good_pfs(conn['pfs'], inter["dh_param_size"], inter["ecdh_param_size"]):
logging.debug(conn['pfs']+ ' is not a good PFS parameter for the intermediate configuration') logging.debug(conn['pfs']+ ' is not a good PFS parameter for the intermediate configuration')
has_pfs = False has_pfs = False
if conn['ocsp_stapling'] == 'False': if conn['ocsp_stapling'] == 'False':
@ -212,13 +210,6 @@ def is_intermediate(results):
for proto in missing_proto: for proto in missing_proto:
logging.debug("missing protocol wanted in the intermediate configuration:" + proto) logging.debug("missing protocol wanted in the intermediate configuration:" + proto)
failures[lvl].append('consider enabling ' + proto) failures[lvl].append('consider enabling ' + proto)
if not has_tls1:
logging.debug("TLSv1 is not supported and required by the old configuration")
isinter = False
if not has_aes:
logging.debug("AES128-SHA is not supported and required by the intermediate configuration")
failures[lvl].append("add cipher AES128-SHA")
isinter = False
if not has_sigalg: if not has_sigalg:
failures[lvl].append("use a certificate signed with %s" % " or ".join(inter["certificate_signatures"])) failures[lvl].append("use a certificate signed with %s" % " or ".join(inter["certificate_signatures"]))
isinter = False isinter = False
@ -226,8 +217,9 @@ def is_intermediate(results):
failures[lvl].append("consider using DHE of at least 2048bits and ECC 256bit and greater") failures[lvl].append("consider using DHE of at least 2048bits and ECC 256bit and greater")
if not has_ocsp: if not has_ocsp:
failures[lvl].append("consider enabling OCSP Stapling") failures[lvl].append("consider enabling OCSP Stapling")
if results['serverside'] != 'True': if results['serverside'] != ('True' if inter['server_preferred_order'] else 'False'):
failures[lvl].append("enforce server side ordering") failures[lvl].append("enforce server side ordering" if inter['server_preferred_order'] else "enforce client side ordering")
isinter = False
return isinter return isinter
# is_modern is similar to is_old but for modern configuration from # is_modern is similar to is_old but for modern configuration from
@ -242,7 +234,7 @@ def is_modern(results):
all_proto = [] all_proto = []
for conn in results['ciphersuite']: for conn in results['ciphersuite']:
logging.debug('testing connection %s' % conn) logging.debug('testing connection %s' % conn)
if conn['cipher'] not in modern["openssl_ciphersuites"]: if conn['cipher'] not in modern["openssl_ciphers"]:
logging.debug(conn['cipher'] + ' is not in the list of modern ciphers') logging.debug(conn['cipher'] + ' is not in the list of modern ciphers')
failures[lvl].append("remove cipher " + conn['cipher']) failures[lvl].append("remove cipher " + conn['cipher'])
ismodern = False ismodern = False
@ -276,8 +268,9 @@ def is_modern(results):
ismodern = False ismodern = False
if not has_ocsp: if not has_ocsp:
failures[lvl].append("consider enabling OCSP Stapling") failures[lvl].append("consider enabling OCSP Stapling")
if results['serverside'] != 'True': if results['serverside'] != ('True' if modern['server_preferred_order'] else 'False'):
failures[lvl].append("enforce server side ordering") failures[lvl].append("enforce server side ordering" if modern['server_preferred_order'] else "enforce client side ordering")
ismodern = False
return ismodern return ismodern
def is_ordered(results, ref_ciphersuite, lvl): def is_ordered(results, ref_ciphersuite, lvl):
@ -311,17 +304,17 @@ def evaluate_all(results):
if is_old(results): if is_old(results):
status = "old" status = "old"
if not is_ordered(results, old["openssl_ciphersuites"], "old"): if old["server_preferred_order"] and not is_ordered(results, old["openssl_ciphers"], "old"):
status = "old with bad ordering" status = "old with bad ordering"
if is_intermediate(results): if is_intermediate(results):
status = "intermediate" status = "intermediate"
if not is_ordered(results, inter["openssl_ciphersuites"], "intermediate"): if inter["server_preferred_order"] and not is_ordered(results, inter["openssl_ciphers"], "intermediate"):
status = "intermediate with bad ordering" status = "intermediate with bad ordering"
if is_modern(results): if is_modern(results):
status = "modern" status = "modern"
if not is_ordered(results, modern["openssl_ciphersuites"], "modern"): if modern["server_preferred_order"] and not is_ordered(results, modern["openssl_ciphers"], "modern"):
status = "modern with bad ordering" status = "modern with bad ordering"
if is_fubar(results): if is_fubar(results):