LittleNellie/cipherscan
2
0
Fork 0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-25 07:23:41 +01:00
Code Issues Releases Wiki Activity

Fix failure for old protocols, int+modern ordering and kx

Browse Source
This commit is contained in:
Jan Brasna 2024-11-18 00:09:34 +01:00 committed by GitHub
parent ecdc24b057
commit ac02a7d3f1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 5 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
analyze.py
View File

@ -150,8 +150,7 @@ def is_old(results):
missing_proto = set(old["tls_versions"]) - set(all_proto) missing_proto = set(old["tls_versions"]) - set(all_proto)
for proto in missing_proto: for proto in missing_proto:
logging.debug("missing protocol wanted in the old configuration:" + proto) logging.debug("missing protocol wanted in the old configuration:" + proto)
failures[lvl].append('enable ' + proto) failures[lvl].append('consider enabling ' + proto)
isold = False
if not has_3des: if not has_3des:
logging.debug("DES-CBC3-SHA is not supported and required by the old configuration") logging.debug("DES-CBC3-SHA is not supported and required by the old configuration")
failures[lvl].append("add cipher DES-CBC3-SHA") failures[lvl].append("add cipher DES-CBC3-SHA")
@ -171,7 +170,7 @@ def is_old(results):
return isold return isold
# is_intermediate is similar to is_old but for intermediate configuration from # is_intermediate is similar to is_old but for intermediate configuration from
# https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 # https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
def is_intermediate(results): def is_intermediate(results):
logging.debug('entering intermediate evaluation') logging.debug('entering intermediate evaluation')
lvl = 'intermediate' lvl = 'intermediate'
@ -214,12 +213,13 @@ def is_intermediate(results):
failures[lvl].append("use a certificate signed with %s" % " or ".join(inter["certificate_signatures"])) failures[lvl].append("use a certificate signed with %s" % " or ".join(inter["certificate_signatures"]))
isinter = False isinter = False
if not has_pfs: if not has_pfs:
failures[lvl].append("consider using DHE of at least 2048bits and ECC 256bit and greater") failures[lvl].append("use DHE of at least {dhe}bits and ECC of {ecdhe}bits and greater".format(
dhe=inter["dh_param_size"], ecdhe=inter["ecdh_param_size"]))
isinter = False
if not has_ocsp: if not has_ocsp:
failures[lvl].append("consider enabling OCSP Stapling") failures[lvl].append("consider enabling OCSP Stapling")
if results['serverside'] != ('True' if inter['server_preferred_order'] else 'False'): if results['serverside'] != ('True' if inter['server_preferred_order'] else 'False'):
failures[lvl].append("enforce server side ordering" if inter['server_preferred_order'] else "enforce client side ordering") failures[lvl].append("enforce server side ordering" if inter['server_preferred_order'] else "enforce client side ordering")
isinter = False
return isinter return isinter
# is_modern is similar to is_old but for modern configuration from # is_modern is similar to is_old but for modern configuration from
@ -247,7 +247,6 @@ def is_modern(results):
if conn['pfs'] != 'None': if conn['pfs'] != 'None':
if not has_good_pfs(conn['pfs'], modern["dh_param_size"], modern["ecdh_param_size"], True): if not has_good_pfs(conn['pfs'], modern["dh_param_size"], modern["ecdh_param_size"], True):
logging.debug(conn['pfs']+ ' is not a good PFS parameter for the modern configuration') logging.debug(conn['pfs']+ ' is not a good PFS parameter for the modern configuration')
ismodern = False
has_pfs = False has_pfs = False
if conn['ocsp_stapling'] == 'False': if conn['ocsp_stapling'] == 'False':
has_ocsp = False has_ocsp = False
@ -270,7 +269,6 @@ def is_modern(results):
failures[lvl].append("consider enabling OCSP Stapling") failures[lvl].append("consider enabling OCSP Stapling")
if results['serverside'] != ('True' if modern['server_preferred_order'] else 'False'): if results['serverside'] != ('True' if modern['server_preferred_order'] else 'False'):
failures[lvl].append("enforce server side ordering" if modern['server_preferred_order'] else "enforce client side ordering") failures[lvl].append("enforce server side ordering" if modern['server_preferred_order'] else "enforce client side ordering")
ismodern = False
return ismodern return ismodern
def is_ordered(results, ref_ciphersuite, lvl): def is_ordered(results, ref_ciphersuite, lvl):