From a11b594ab4644ede5a51de4913bf5c13fe940358 Mon Sep 17 00:00:00 2001
From: Julien Vehent <julien@linuxwall.info>
Date: Fri, 17 Oct 2014 11:09:28 -0400
Subject: [PATCH] Fix dhparam size detection in inter and modern levels

---
 analyze.py | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/analyze.py b/analyze.py
index 600d0c0..e31903e 100755
--- a/analyze.py
+++ b/analyze.py
@@ -146,9 +146,10 @@ def is_intermediate(results):
         if conn['sigalg'][0] not in ['sha256WithRSAEncryption', 'sha384WithRSAEncryption', 'sha512WithRSAEncryption']:
             logging.debug(conn['sigalg'][0] + ' is a not an intermediate signature')
             has_sha256 = False
-        if conn['cipher'][0:2] == 'DHE':
-            if conn['pfs'] != 'DH,2048bits':
-                logging.debug(conn['pfs']+ ' is not a good DH parameters for the old configuration')
+        if 'DHE' in conn['cipher'][0:3]:
+            dhparam = conn['pfs'].split(',')[1].split('b')[0]
+            if int(dhparam) < 2048:
+                logging.debug(conn['pfs']+ ' is not a good DH parameters for the intermediate configuration')
                 inter = False
                 has_dhparam = False
         if conn['ocsp_stapling'] == 'False':
@@ -172,7 +173,7 @@ def is_intermediate(results):
     if not has_sha256:
         failures[lvl].append("consider using a SHA-256 certificate")
     if not has_dhparam:
-        failures[lvl].append("use a DH parameter of 2048 bits")
+        failures[lvl].append("use a DH parameter of 2048 bits or more")
         inter = False
     if not has_ocsp:
         failures[lvl].append("consider enabling OCSP Stapling")
@@ -201,10 +202,11 @@ def is_modern(results):
             logging.debug(conn['sigalg'][0] + ' is a not an modern signature')
             modern = False
             has_sha256 = False
-        if conn['cipher'][0:2] == 'DHE':
-            if conn['pfs'] != 'DH,2048bits':
-                logging.debug(conn['pfs']+ ' is not a good DH parameters for the old configuration')
-                inter = False
+        if 'DHE' in conn['cipher'][0:3]:
+            dhparam = conn['pfs'].split(',')[1].split('b')[0]
+            if int(dhparam) < 2048:
+                logging.debug(conn['pfs']+ ' is not a good DH parameters for the modern configuration')
+                modern = False
                 has_dhparam = False
         if conn['ocsp_stapling'] == 'False':
             has_ocsp = False
@@ -221,7 +223,7 @@ def is_modern(results):
         failures[lvl].append("use a SHA-256 certificate")
         modern = False
     if not has_dhparam:
-        failures[lvl].append("use a DH parameter of 2048 bits")
+        failures[lvl].append("use a DH parameter of 2048 bits or more")
         modern = False
     if not has_ocsp:
         failures[lvl].append("consider enabling OCSP Stapling")