mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-11-22 14:23:41 +01:00
Fix dhparam size detection in inter and modern levels
This commit is contained in:
parent
28c6c2488b
commit
a11b594ab4
20
analyze.py
20
analyze.py
@ -146,9 +146,10 @@ def is_intermediate(results):
|
|||||||
if conn['sigalg'][0] not in ['sha256WithRSAEncryption', 'sha384WithRSAEncryption', 'sha512WithRSAEncryption']:
|
if conn['sigalg'][0] not in ['sha256WithRSAEncryption', 'sha384WithRSAEncryption', 'sha512WithRSAEncryption']:
|
||||||
logging.debug(conn['sigalg'][0] + ' is a not an intermediate signature')
|
logging.debug(conn['sigalg'][0] + ' is a not an intermediate signature')
|
||||||
has_sha256 = False
|
has_sha256 = False
|
||||||
if conn['cipher'][0:2] == 'DHE':
|
if 'DHE' in conn['cipher'][0:3]:
|
||||||
if conn['pfs'] != 'DH,2048bits':
|
dhparam = conn['pfs'].split(',')[1].split('b')[0]
|
||||||
logging.debug(conn['pfs']+ ' is not a good DH parameters for the old configuration')
|
if int(dhparam) < 2048:
|
||||||
|
logging.debug(conn['pfs']+ ' is not a good DH parameters for the intermediate configuration')
|
||||||
inter = False
|
inter = False
|
||||||
has_dhparam = False
|
has_dhparam = False
|
||||||
if conn['ocsp_stapling'] == 'False':
|
if conn['ocsp_stapling'] == 'False':
|
||||||
@ -172,7 +173,7 @@ def is_intermediate(results):
|
|||||||
if not has_sha256:
|
if not has_sha256:
|
||||||
failures[lvl].append("consider using a SHA-256 certificate")
|
failures[lvl].append("consider using a SHA-256 certificate")
|
||||||
if not has_dhparam:
|
if not has_dhparam:
|
||||||
failures[lvl].append("use a DH parameter of 2048 bits")
|
failures[lvl].append("use a DH parameter of 2048 bits or more")
|
||||||
inter = False
|
inter = False
|
||||||
if not has_ocsp:
|
if not has_ocsp:
|
||||||
failures[lvl].append("consider enabling OCSP Stapling")
|
failures[lvl].append("consider enabling OCSP Stapling")
|
||||||
@ -201,10 +202,11 @@ def is_modern(results):
|
|||||||
logging.debug(conn['sigalg'][0] + ' is a not an modern signature')
|
logging.debug(conn['sigalg'][0] + ' is a not an modern signature')
|
||||||
modern = False
|
modern = False
|
||||||
has_sha256 = False
|
has_sha256 = False
|
||||||
if conn['cipher'][0:2] == 'DHE':
|
if 'DHE' in conn['cipher'][0:3]:
|
||||||
if conn['pfs'] != 'DH,2048bits':
|
dhparam = conn['pfs'].split(',')[1].split('b')[0]
|
||||||
logging.debug(conn['pfs']+ ' is not a good DH parameters for the old configuration')
|
if int(dhparam) < 2048:
|
||||||
inter = False
|
logging.debug(conn['pfs']+ ' is not a good DH parameters for the modern configuration')
|
||||||
|
modern = False
|
||||||
has_dhparam = False
|
has_dhparam = False
|
||||||
if conn['ocsp_stapling'] == 'False':
|
if conn['ocsp_stapling'] == 'False':
|
||||||
has_ocsp = False
|
has_ocsp = False
|
||||||
@ -221,7 +223,7 @@ def is_modern(results):
|
|||||||
failures[lvl].append("use a SHA-256 certificate")
|
failures[lvl].append("use a SHA-256 certificate")
|
||||||
modern = False
|
modern = False
|
||||||
if not has_dhparam:
|
if not has_dhparam:
|
||||||
failures[lvl].append("use a DH parameter of 2048 bits")
|
failures[lvl].append("use a DH parameter of 2048 bits or more")
|
||||||
modern = False
|
modern = False
|
||||||
if not has_ocsp:
|
if not has_ocsp:
|
||||||
failures[lvl].append("consider enabling OCSP Stapling")
|
failures[lvl].append("consider enabling OCSP Stapling")
|
||||||
|
Loading…
Reference in New Issue
Block a user