From f5ad5806c35ee389d08f5c1aade6672f93e8c211 Mon Sep 17 00:00:00 2001 From: Awad Mackie Date: Sun, 21 Aug 2016 13:16:54 +0100 Subject: [PATCH 1/4] Allow EC keys to have a smaller bitsize --- analyze.py | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/analyze.py b/analyze.py index 638606f..ad99d02 100755 --- a/analyze.py +++ b/analyze.py @@ -43,14 +43,21 @@ def has_good_pfs(pfs, target_dh, target_ecc, must_match=False): def is_fubar(results): logging.debug('entering fubar evaluation') lvl = 'fubar' + min_ec_size = min(old["ecdh_param_size"], inter["ecdh_param_size"], modern["ecdh_param_size"]) + fubar = False has_ssl2 = False has_wrong_pubkey = False + has_wrong_ec_pubkey = False has_bad_sig = False has_untrust_cert = False has_wrong_pfs = False + for conn in results['ciphersuite']: logging.debug('testing connection %s' % conn) + pubkey_bits = int(conn['pubkey'][0]) + ec_kex = conn['cipher'].startswith('ECDHE-') + if conn['cipher'] not in (set(old["ciphersuites"]) | set(inter["ciphersuites"]) | set(modern["ciphersuites"])): failures[lvl].append("remove cipher " + conn['cipher']) logging.debug(conn['cipher'] + ' is in the list of fubar ciphers') @@ -59,10 +66,14 @@ def is_fubar(results): has_ssl2 = True logging.debug('SSLv2 is in the list of fubar protocols') fubar = True - if int(conn['pubkey'][0]) < 2048: + if not ec_kex and pubkey_bits < 2048: has_wrong_pubkey = True logging.debug(conn['pubkey'][0] + ' is a fubar pubkey size') fubar = True + if ec_kex and pubkey_bits < min_ec_size: + has_wrong_ec_pubkey = True + logging.debug(conn['pubkey'][0] + ' is a fubar EC pubkey size') + fubar = True if conn['pfs'] != 'None': if not has_good_pfs(conn['pfs'], 1024, 160): logging.debug(conn['pfs']+ ' is a fubar PFS parameters') @@ -82,6 +93,8 @@ def is_fubar(results): failures[lvl].append("don't use a cert with a bad signature algorithm") if has_wrong_pubkey: failures[lvl].append("don't use a public key smaller than 2048 bits") + if has_wrong_ec_pubkey: + failures[lvl].append("don't use an EC key smaller than " + str(min_ec_size)) if has_untrust_cert: failures[lvl].append("don't use an untrusted or self-signed certificate") if has_wrong_pfs: From 955d55a6bae0236d0045937ed5babf0a8175c391 Mon Sep 17 00:00:00 2001 From: Awad Mackie Date: Mon, 22 Aug 2016 23:33:28 +0100 Subject: [PATCH 2/4] Update EC check to use regexp and match all OpenSSL EC cipher suite variants --- analyze.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/analyze.py b/analyze.py index ad99d02..afe970b 100755 --- a/analyze.py +++ b/analyze.py @@ -7,7 +7,7 @@ from __future__ import print_function -import sys, os, json, subprocess, logging, argparse, platform, urllib2 +import sys, os, json, subprocess, logging, argparse, platform, urllib2, re from collections import namedtuple from datetime import datetime from copy import deepcopy @@ -56,7 +56,7 @@ def is_fubar(results): for conn in results['ciphersuite']: logging.debug('testing connection %s' % conn) pubkey_bits = int(conn['pubkey'][0]) - ec_kex = conn['cipher'].startswith('ECDHE-') + ec_kex = re.match(r"(ECDHE|EECDH|ECDH)-", conn['cipher']) if conn['cipher'] not in (set(old["ciphersuites"]) | set(inter["ciphersuites"]) | set(modern["ciphersuites"])): failures[lvl].append("remove cipher " + conn['cipher']) From 3a2a43f91da1d73f987b60f56b8bd29f01279e0d Mon Sep 17 00:00:00 2001 From: Awad Mackie Date: Mon, 22 Aug 2016 23:44:13 +0100 Subject: [PATCH 3/4] Hardcode minimum EC key size --- analyze.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/analyze.py b/analyze.py index afe970b..cf24678 100755 --- a/analyze.py +++ b/analyze.py @@ -43,7 +43,6 @@ def has_good_pfs(pfs, target_dh, target_ecc, must_match=False): def is_fubar(results): logging.debug('entering fubar evaluation') lvl = 'fubar' - min_ec_size = min(old["ecdh_param_size"], inter["ecdh_param_size"], modern["ecdh_param_size"]) fubar = False has_ssl2 = False @@ -70,7 +69,7 @@ def is_fubar(results): has_wrong_pubkey = True logging.debug(conn['pubkey'][0] + ' is a fubar pubkey size') fubar = True - if ec_kex and pubkey_bits < min_ec_size: + if ec_kex and pubkey_bits < 160: has_wrong_ec_pubkey = True logging.debug(conn['pubkey'][0] + ' is a fubar EC pubkey size') fubar = True @@ -94,7 +93,7 @@ def is_fubar(results): if has_wrong_pubkey: failures[lvl].append("don't use a public key smaller than 2048 bits") if has_wrong_ec_pubkey: - failures[lvl].append("don't use an EC key smaller than " + str(min_ec_size)) + failures[lvl].append("don't use an EC key smaller than 160 bits") if has_untrust_cert: failures[lvl].append("don't use an untrusted or self-signed certificate") if has_wrong_pfs: From bb3e89ec09020fe1e4d78056e2f4d0f45739ddc5 Mon Sep 17 00:00:00 2001 From: Awad Mackie Date: Thu, 25 Aug 2016 00:40:39 +0100 Subject: [PATCH 4/4] Update fubar EC parameter size to 256 --- analyze.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/analyze.py b/analyze.py index cf24678..c886ee8 100755 --- a/analyze.py +++ b/analyze.py @@ -69,7 +69,7 @@ def is_fubar(results): has_wrong_pubkey = True logging.debug(conn['pubkey'][0] + ' is a fubar pubkey size') fubar = True - if ec_kex and pubkey_bits < 160: + if ec_kex and pubkey_bits < 256: has_wrong_ec_pubkey = True logging.debug(conn['pubkey'][0] + ' is a fubar EC pubkey size') fubar = True @@ -93,7 +93,7 @@ def is_fubar(results): if has_wrong_pubkey: failures[lvl].append("don't use a public key smaller than 2048 bits") if has_wrong_ec_pubkey: - failures[lvl].append("don't use an EC key smaller than 160 bits") + failures[lvl].append("don't use an EC key smaller than 256 bits") if has_untrust_cert: failures[lvl].append("don't use an untrusted or self-signed certificate") if has_wrong_pfs: