mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-11-25 07:23:41 +01:00
Update sigalg analyze from guidelines
This commit is contained in:
parent
ac02a7d3f1
commit
de1a292d1c
18
analyze.py
18
analyze.py
@ -114,7 +114,7 @@ def is_old(results):
|
|||||||
lvl = 'old'
|
lvl = 'old'
|
||||||
isold = True
|
isold = True
|
||||||
has_3des = False
|
has_3des = False
|
||||||
has_sha1 = True
|
has_sigalg = True
|
||||||
has_pfs = True
|
has_pfs = True
|
||||||
has_ocsp = True
|
has_ocsp = True
|
||||||
all_proto = []
|
all_proto = []
|
||||||
@ -131,11 +131,9 @@ def is_old(results):
|
|||||||
for proto in conn['protocols']:
|
for proto in conn['protocols']:
|
||||||
if proto not in all_proto:
|
if proto not in all_proto:
|
||||||
all_proto.append(proto)
|
all_proto.append(proto)
|
||||||
# verify required sha1 signature is used
|
if conn['sigalg'][0] not in old["certificate_signatures"]:
|
||||||
if 'sha1WithRSAEncryption' not in conn['sigalg']:
|
|
||||||
logging.debug(conn['sigalg'][0] + ' is a not an old signature')
|
logging.debug(conn['sigalg'][0] + ' is a not an old signature')
|
||||||
has_sha1 = False
|
has_sigalg = False
|
||||||
# verify required pfs parameter is used
|
|
||||||
if conn['pfs'] != 'None':
|
if conn['pfs'] != 'None':
|
||||||
if not has_good_pfs(conn['pfs'], old["dh_param_size"], old["ecdh_param_size"], True):
|
if not has_good_pfs(conn['pfs'], old["dh_param_size"], old["ecdh_param_size"], True):
|
||||||
logging.debug(conn['pfs']+ ' is not a good PFS parameter for the old configuration')
|
logging.debug(conn['pfs']+ ' is not a good PFS parameter for the old configuration')
|
||||||
@ -155,8 +153,8 @@ def is_old(results):
|
|||||||
logging.debug("DES-CBC3-SHA is not supported and required by the old configuration")
|
logging.debug("DES-CBC3-SHA is not supported and required by the old configuration")
|
||||||
failures[lvl].append("add cipher DES-CBC3-SHA")
|
failures[lvl].append("add cipher DES-CBC3-SHA")
|
||||||
isold = False
|
isold = False
|
||||||
if not has_sha1:
|
if not has_sigalg:
|
||||||
failures[lvl].append("use a certificate with sha1WithRSAEncryption signature")
|
failures[lvl].append("use a certificate signed with %s" % " or ".join(inter["certificate_signatures"]))
|
||||||
isold = False
|
isold = False
|
||||||
if not has_pfs:
|
if not has_pfs:
|
||||||
failures[lvl].append("use DHE of {dhe}bits and ECC of {ecdhe}bits".format(
|
failures[lvl].append("use DHE of {dhe}bits and ECC of {ecdhe}bits".format(
|
||||||
@ -165,7 +163,7 @@ def is_old(results):
|
|||||||
if not has_ocsp:
|
if not has_ocsp:
|
||||||
failures[lvl].append("consider enabling OCSP Stapling")
|
failures[lvl].append("consider enabling OCSP Stapling")
|
||||||
if results['serverside'] != ('True' if old['server_preferred_order'] else 'False'):
|
if results['serverside'] != ('True' if old['server_preferred_order'] else 'False'):
|
||||||
failures[lvl].append("enforce server side ordering" if old['server_preferred_order'] else "enforce client side ordering")
|
failures[lvl].append("enforce server side ordering" if old['server_preferred_order'] else "allow client preference")
|
||||||
isold = False
|
isold = False
|
||||||
return isold
|
return isold
|
||||||
|
|
||||||
@ -219,7 +217,7 @@ def is_intermediate(results):
|
|||||||
if not has_ocsp:
|
if not has_ocsp:
|
||||||
failures[lvl].append("consider enabling OCSP Stapling")
|
failures[lvl].append("consider enabling OCSP Stapling")
|
||||||
if results['serverside'] != ('True' if inter['server_preferred_order'] else 'False'):
|
if results['serverside'] != ('True' if inter['server_preferred_order'] else 'False'):
|
||||||
failures[lvl].append("enforce server side ordering" if inter['server_preferred_order'] else "enforce client side ordering")
|
failures[lvl].append("enforce server side ordering" if inter['server_preferred_order'] else "allow client preference")
|
||||||
return isinter
|
return isinter
|
||||||
|
|
||||||
# is_modern is similar to is_old but for modern configuration from
|
# is_modern is similar to is_old but for modern configuration from
|
||||||
@ -268,7 +266,7 @@ def is_modern(results):
|
|||||||
if not has_ocsp:
|
if not has_ocsp:
|
||||||
failures[lvl].append("consider enabling OCSP Stapling")
|
failures[lvl].append("consider enabling OCSP Stapling")
|
||||||
if results['serverside'] != ('True' if modern['server_preferred_order'] else 'False'):
|
if results['serverside'] != ('True' if modern['server_preferred_order'] else 'False'):
|
||||||
failures[lvl].append("enforce server side ordering" if modern['server_preferred_order'] else "enforce client side ordering")
|
failures[lvl].append("enforce server side ordering" if modern['server_preferred_order'] else "allow client preference")
|
||||||
return ismodern
|
return ismodern
|
||||||
|
|
||||||
def is_ordered(results, ref_ciphersuite, lvl):
|
def is_ordered(results, ref_ciphersuite, lvl):
|
||||||
|
Loading…
Reference in New Issue
Block a user