2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-22 14:23:41 +01:00

Fix dhparam size detection in inter and modern levels

This commit is contained in:
Julien Vehent 2014-10-17 11:09:28 -04:00
parent 28c6c2488b
commit a11b594ab4

View File

@ -146,9 +146,10 @@ def is_intermediate(results):
if conn['sigalg'][0] not in ['sha256WithRSAEncryption', 'sha384WithRSAEncryption', 'sha512WithRSAEncryption']: if conn['sigalg'][0] not in ['sha256WithRSAEncryption', 'sha384WithRSAEncryption', 'sha512WithRSAEncryption']:
logging.debug(conn['sigalg'][0] + ' is a not an intermediate signature') logging.debug(conn['sigalg'][0] + ' is a not an intermediate signature')
has_sha256 = False has_sha256 = False
if conn['cipher'][0:2] == 'DHE': if 'DHE' in conn['cipher'][0:3]:
if conn['pfs'] != 'DH,2048bits': dhparam = conn['pfs'].split(',')[1].split('b')[0]
logging.debug(conn['pfs']+ ' is not a good DH parameters for the old configuration') if int(dhparam) < 2048:
logging.debug(conn['pfs']+ ' is not a good DH parameters for the intermediate configuration')
inter = False inter = False
has_dhparam = False has_dhparam = False
if conn['ocsp_stapling'] == 'False': if conn['ocsp_stapling'] == 'False':
@ -172,7 +173,7 @@ def is_intermediate(results):
if not has_sha256: if not has_sha256:
failures[lvl].append("consider using a SHA-256 certificate") failures[lvl].append("consider using a SHA-256 certificate")
if not has_dhparam: if not has_dhparam:
failures[lvl].append("use a DH parameter of 2048 bits") failures[lvl].append("use a DH parameter of 2048 bits or more")
inter = False inter = False
if not has_ocsp: if not has_ocsp:
failures[lvl].append("consider enabling OCSP Stapling") failures[lvl].append("consider enabling OCSP Stapling")
@ -201,10 +202,11 @@ def is_modern(results):
logging.debug(conn['sigalg'][0] + ' is a not an modern signature') logging.debug(conn['sigalg'][0] + ' is a not an modern signature')
modern = False modern = False
has_sha256 = False has_sha256 = False
if conn['cipher'][0:2] == 'DHE': if 'DHE' in conn['cipher'][0:3]:
if conn['pfs'] != 'DH,2048bits': dhparam = conn['pfs'].split(',')[1].split('b')[0]
logging.debug(conn['pfs']+ ' is not a good DH parameters for the old configuration') if int(dhparam) < 2048:
inter = False logging.debug(conn['pfs']+ ' is not a good DH parameters for the modern configuration')
modern = False
has_dhparam = False has_dhparam = False
if conn['ocsp_stapling'] == 'False': if conn['ocsp_stapling'] == 'False':
has_ocsp = False has_ocsp = False
@ -221,7 +223,7 @@ def is_modern(results):
failures[lvl].append("use a SHA-256 certificate") failures[lvl].append("use a SHA-256 certificate")
modern = False modern = False
if not has_dhparam: if not has_dhparam:
failures[lvl].append("use a DH parameter of 2048 bits") failures[lvl].append("use a DH parameter of 2048 bits or more")
modern = False modern = False
if not has_ocsp: if not has_ocsp:
failures[lvl].append("consider enabling OCSP Stapling") failures[lvl].append("consider enabling OCSP Stapling")