Include cipher order information in file output on a per protocol basis

David Cooper · David Cooper · commit 5c889bde0fd2 · 2022-10-20T12:49:22.000-07:00
This commit fileout() calls to ciphers_by_strength() and cipher_pref_check() to indicate whether or not the server enforces a cipher order for a protocol version.
diff --git a/t/baseline_data/default_testssl.csvfile b/t/baseline_data/default_testssl.csvfile
@@ -18,6 +18,7 @@
 "cipherlist_AVERAGE","testssl.sh/81.169.166.184","443","LOW","offered","","CWE-310"
 "cipherlist_GOOD","testssl.sh/81.169.166.184","443","OK","offered","",""
 "cipherlist_STRONG","testssl.sh/81.169.166.184","443","OK","offered","",""
+"cipher_order-tls1","testssl.sh/81.169.166.184","443","OK","server","",""
 "cipher-tls1_xc014","testssl.sh/81.169.166.184","443","LOW","TLSv1   xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","",""
 "cipher-tls1_xc013","testssl.sh/81.169.166.184","443","LOW","TLSv1   xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","",""
 "cipher-tls1_x88","testssl.sh/81.169.166.184","443","LOW","TLSv1   x88     DHE-RSA-CAMELLIA256-SHA           DH 2048    Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA","",""
@@ -26,6 +27,7 @@
 "cipher-tls1_x33","testssl.sh/81.169.166.184","443","LOW","TLSv1   x33     DHE-RSA-AES128-SHA                DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA","",""
 "cipher-tls1_x35","testssl.sh/81.169.166.184","443","LOW","TLSv1   x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA","",""
 "cipherorder_TLSv1","testssl.sh/81.169.166.184","443","INFO","ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA","",""
+"cipher_order-tls1_1","testssl.sh/81.169.166.184","443","OK","server","",""
 "cipher-tls1_1_xc014","testssl.sh/81.169.166.184","443","LOW","TLSv1.1   xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","",""
 "cipher-tls1_1_xc013","testssl.sh/81.169.166.184","443","LOW","TLSv1.1   xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","",""
 "cipher-tls1_1_x88","testssl.sh/81.169.166.184","443","LOW","TLSv1.1   x88     DHE-RSA-CAMELLIA256-SHA           DH 2048    Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA","",""
@@ -34,6 +36,7 @@
 "cipher-tls1_1_x33","testssl.sh/81.169.166.184","443","LOW","TLSv1.1   x33     DHE-RSA-AES128-SHA                DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA","",""
 "cipher-tls1_1_x35","testssl.sh/81.169.166.184","443","LOW","TLSv1.1   x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA","",""
 "cipherorder_TLSv1_1","testssl.sh/81.169.166.184","443","INFO","ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA","",""
+"cipher_order-tls1_2","testssl.sh/81.169.166.184","443","OK","server","",""
 "cipher-tls1_2_xc030","testssl.sh/81.169.166.184","443","OK","TLSv1.2   xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","",""
 "cipher-tls1_2_xc02f","testssl.sh/81.169.166.184","443","OK","TLSv1.2   xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","",""
 "cipher-tls1_2_x9f","testssl.sh/81.169.166.184","443","OK","TLSv1.2   x9f     DHE-RSA-AES256-GCM-SHA384         DH 2048    AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384","",""
@@ -52,6 +55,7 @@
 "cipher-tls1_2_x3d","testssl.sh/81.169.166.184","443","LOW","TLSv1.2   x3d     AES256-SHA256                     RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA256","",""
 "cipher-tls1_2_x35","testssl.sh/81.169.166.184","443","LOW","TLSv1.2   x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA","",""
 "cipherorder_TLSv1_2","testssl.sh/81.169.166.184","443","INFO","ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES256-SHA","",""
+"cipher_order-tls1_3","testssl.sh/81.169.166.184","443","OK","server","",""
 "cipher-tls1_3_x1302","testssl.sh/81.169.166.184","443","OK","TLSv1.3   x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384","",""
 "cipher-tls1_3_x1303","testssl.sh/81.169.166.184","443","OK","TLSv1.3   x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256","",""
 "cipher-tls1_3_x1301","testssl.sh/81.169.166.184","443","OK","TLSv1.3   x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256","",""
diff --git a/testssl.sh b/testssl.sh
@@ -4545,12 +4545,28 @@ ciphers_by_strength() {
                fi
                
                [[ $difference_rating -lt $NO_CIPHER_ORDER_LEVEL ]] && NO_CIPHER_ORDER_LEVEL=$difference_rating
+               id="cipher_order${proto}"
                case $difference_rating in
-                    5) outln " (no server order, thus listed by strength)" ;;
-                    4) prln_svrty_low " (no server order, thus listed by strength)" ;; 
-                    3) prln_svrty_medium " (no server order, thus listed by strength)" ;;
-                    2) prln_svrty_high " (no server order, thus listed by strength)" ;;
-                    1) prln_svrty_critical " (no server order, thus listed by strength)" ;;
+                    5)
+                         outln " (no server order, thus listed by strength)"
+                         fileout "$id" "INFO" "NOT a cipher order configured"
+                         ;;
+                    4)
+                         prln_svrty_low " (no server order, thus listed by strength)"
+                         fileout "$id" "LOW" "NOT a cipher order configured"
+                         ;; 
+                    3)
+                         prln_svrty_medium " (no server order, thus listed by strength)"
+                         fileout "$id" "MEDIUM" "NOT a cipher order configured"
+                         ;;
+                    2)
+                         prln_svrty_high " (no server order, thus listed by strength)"
+                         fileout "$id" "HIGH" "NOT a cipher order configured"
+                         ;;
+                    1)
+                         prln_svrty_critical " (no server order, thus listed by strength)"
+                         fileout "$id" "CRITICAL" "NOT a cipher order configured"
+                         ;;
                esac
           fi
      elif "$wide" && "$proto_supported" || [[ $proto != -ssl2 ]]; then
@@ -7448,8 +7464,10 @@ cipher_pref_check() {
      fi
      if "$prioritize_chacha"; then
           outln " (server order -- server prioritizes ChaCha ciphers when preferred by clients)"
+          fileout "cipher_order-${proto}" "OK" "server -- server prioritizes ChaCha ciphers when preferred by clients"
      elif [[ -n "$order" ]]; then
           outln " (server order)"
+          fileout "cipher_order-${proto}" "OK" "server"
      else
           outln
      fi
