2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-22 14:23:41 +01:00

fix ECC size in fubar pfs analysis

This commit is contained in:
Julien Vehent 2014-10-18 07:23:24 -04:00
parent 244e9ca9f2
commit ebf4f8bcc7

View File

@ -56,7 +56,7 @@ def is_fubar(results):
logging.debug(conn['pubkey'] + ' is a fubar pubkey size') logging.debug(conn['pubkey'] + ' is a fubar pubkey size')
fubar = True fubar = True
if conn['pfs'] != 'None': if conn['pfs'] != 'None':
if not has_good_pfs(conn['pfs'], 1024, 128): if not has_good_pfs(conn['pfs'], 1024, 160):
logging.debug(conn['pfs']+ ' is a fubar PFS parameters') logging.debug(conn['pfs']+ ' is a fubar PFS parameters')
fubar = True fubar = True
has_wrong_pfs = True has_wrong_pfs = True
@ -77,7 +77,7 @@ def is_fubar(results):
if has_untrust_cert: if has_untrust_cert:
failures[lvl].append("don't use an untrusted or self-signed certificate") failures[lvl].append("don't use an untrusted or self-signed certificate")
if has_wrong_pfs: if has_wrong_pfs:
failures[lvl].append("don't use DHE smaller than 1024bits or ECC smaller than 128bits") failures[lvl].append("don't use DHE smaller than 1024bits or ECC smaller than 160bits")
return fubar return fubar
# is_old assumes a configuration *is* old, and will return False if # is_old assumes a configuration *is* old, and will return False if