@@ -268,6 +268,7 @@ NR_HEADER_FAIL=0 # .. for HTTP_GET
268268PROTOS_OFFERED="" # This keeps which protocol is being offered. See has_server_protocol().
269269TLS12_CIPHER_OFFERED="" # This contains the hexcode of a cipher known to be supported by the server with TLS 1.2
270270CURVES_OFFERED="" # This keeps which curves have been detected. Just for error handling
271+ NO_CIPHER_ORDER_LEVEL=5 # This is the finding level to report if the server does not enforce a cipher order for one or more protocol versions.
271272KNOWN_OSSL_PROB=false # We need OpenSSL a few times. This variable is an indicator if we can't connect. Eases handling
272273DETECTED_TLS_VERSION="" # .. as hex string, e.g. 0300 or 0303
273274APP_TRAF_KEY_INFO="" # Information about the application traffic keys for a TLS 1.3 connection.
@@ -4243,6 +4244,7 @@ ciphers_by_strength() {
42434244 local available proto_supported=false
42444245 local id
42454246 local has_dh_bits="$HAS_DH_BITS"
4247+ local -i quality worst_cipher=8 best_cipher=0 difference_rating=5
42464248
42474249 # for local problem if it happens
42484250 "$wide" || out " "
@@ -4505,12 +4507,67 @@ ciphers_by_strength() {
45054507 fi
45064508
45074509 if "$wide" && [[ "${FUNCNAME[1]}" == run_server_preference ]] && "$proto_supported"; then
4508- if [[ $proto_ossl == tls1_3 ]]; then
4509- outln " (no server order, thus listed by strength)"
4510- elif ! "$serverpref_known"; then
4510+ if ! "$serverpref_known"; then
45114511 outln " (listed by strength)"
45124512 else
4513- prln_svrty_high " (no server order, thus listed by strength)"
4513+ # Determine the best and worst quality level findings for the supported ciphers
4514+ for (( i=0 ; i<nr_ciphers; i++ )); do
4515+ if "${ciphers_found[i]}"; then
4516+ if [[ "${rfc_ciph[i]}" != - ]]; then
4517+ get_cipher_quality "${rfc_ciph[i]}"
4518+ else
4519+ get_cipher_quality ${ciph[i]}
4520+ fi
4521+ quality=$?
4522+ [[ $quality -lt $worst_cipher ]] && worst_cipher=$quality
4523+ [[ $quality -gt $best_cipher ]] && best_cipher=$quality
4524+ fi
4525+ done
4526+ # Assign a rating (severity level) based on the difference between the levels
4527+ # of the best and worst supported ciphers.
4528+ if [[ $worst_cipher -ne $best_cipher ]]; then
4529+ case $best_cipher in
4530+ 3|5|6|7)
4531+ difference_rating=$worst_cipher
4532+ [[ $difference_rating -gt 5 ]] && difference_rating=5
4533+ ;;
4534+ 4)
4535+ case $worst_cipher in
4536+ 3) difference_rating=4 ;;
4537+ 2) difference_rating=2 ;;
4538+ 1) difference_rating=1 ;;
4539+ esac
4540+ ;;
4541+ 2)
4542+ difference_rating=2
4543+ ;;
4544+ esac
4545+ fi
4546+
4547+ [[ $difference_rating -lt $NO_CIPHER_ORDER_LEVEL ]] && NO_CIPHER_ORDER_LEVEL=$difference_rating
4548+ id="cipher_order${proto}"
4549+ case $difference_rating in
4550+ 5)
4551+ outln " (no server order, thus listed by strength)"
4552+ fileout "$id" "INFO" "NOT a cipher order configured"
4553+ ;;
4554+ 4)
4555+ prln_svrty_low " (no server order, thus listed by strength)"
4556+ fileout "$id" "LOW" "NOT a cipher order configured"
4557+ ;;
4558+ 3)
4559+ prln_svrty_medium " (no server order, thus listed by strength)"
4560+ fileout "$id" "MEDIUM" "NOT a cipher order configured"
4561+ ;;
4562+ 2)
4563+ prln_svrty_high " (no server order, thus listed by strength)"
4564+ fileout "$id" "HIGH" "NOT a cipher order configured"
4565+ ;;
4566+ 1)
4567+ prln_svrty_critical " (no server order, thus listed by strength)"
4568+ fileout "$id" "CRITICAL" "NOT a cipher order configured"
4569+ ;;
4570+ esac
45144571 fi
45154572 elif "$wide" && "$proto_supported" || [[ $proto != -ssl2 ]]; then
45164573 outln
@@ -6650,7 +6707,7 @@ run_server_preference() {
66506707 local has_cipher_order=false has_tls13_cipher_order=false
66516708 local addcmd="" addcmd2=""
66526709 local using_sockets=true
6653- local jsonID="cipher_order"
6710+ local jsonID="cipher_order" fileout_msg="" fileout_rating="" terminal_msg=""
66546711 local cwe="CWE-310"
66556712 local cve=""
66566713
@@ -6824,23 +6881,58 @@ run_server_preference() {
68246881
68256882 pr_bold " Has server cipher order? "
68266883 jsonID="cipher_order"
6884+ case $NO_CIPHER_ORDER_LEVEL in
6885+ 5) fileout_rating="INFO" ;;
6886+ 4) fileout_rating="LOW" ;;
6887+ 3) fileout_rating="MEDIUM" ;;
6888+ 2) fileout_rating="HIGH" ;;
6889+ 1) fileout_rating="CRITICAL" ;;
6890+ esac
68276891 if "$TLS13_ONLY" && ! "$has_tls13_cipher_order"; then
6828- out "no (TLS 1.3 only)"
6892+ terminal_msg= "no (TLS 1.3 only)"
68296893 limitedsense=" (limited sense as client will pick)"
6830- fileout "$jsonID" "INFO" "not a cipher order for TLS 1.3 configured"
6894+ fileout_msg= "not a cipher order for TLS 1.3 configured"
68316895 elif ! "$TLS13_ONLY" && [[ -z "$cipher2" ]]; then
68326896 pr_warning "unable to determine"
68336897 elif ! "$has_cipher_order" && ! "$has_tls13_cipher_order"; then
68346898 # server used the different ends (ciphers) from the client hello
6835- pr_svrty_high "no (NOT ok)"
6899+ terminal_msg="no (NOT ok)"
6900+ [[ "$fileout_rating" == INFO ]] && terminal_msg="no"
68366901 limitedsense=" (limited sense as client will pick)"
6837- fileout "$jsonID" "HIGH" "NOT a cipher order configured"
6902+ fileout_msg= "NOT a cipher order configured"
68386903 elif "$has_cipher_order" && ! "$has_tls13_cipher_order" && [[ "$default_proto" == TLSv1.3 ]]; then
6839- pr_svrty_good "yes (OK)"; out " -- only for < TLS 1.3"
6840- fileout "$jsonID" "OK" "server -- TLS 1.3 client determined"
6904+ if [[ $NO_CIPHER_ORDER_LEVEL -eq 5 ]]; then
6905+ pr_svrty_good "yes (OK)"; out " -- only for < TLS 1.3"
6906+ fileout "$jsonID" "OK" "server -- TLS 1.3 client determined"
6907+ else
6908+ # The server does not enforce a cipher order for TLS 1.3 and it
6909+ # accepts some lower quality TLS 1.3 ciphers.
6910+ terminal_msg="only for < TLS 1.3"
6911+ fileout_msg="server -- TLS 1.3 client determined"
6912+ fi
68416913 elif ! "$has_cipher_order" && "$has_tls13_cipher_order"; then
6842- pr_svrty_high "no (NOT ok)"; out " -- only for TLS 1.3"
6843- fileout "$jsonID" "HIGH" "server -- < TLS 1.3 client determined"
6914+ case "$fileout_rating" in
6915+ "INFO")
6916+ out "only for TLS 1.3"
6917+ fileout "$jsonID" "INFO" "server -- < TLS 1.3 client determined"
6918+ ;;
6919+ "LOW")
6920+ pr_svrty_low "no (NOT ok)"; out " -- only for TLS 1.3"
6921+ fileout "$jsonID" "LOW" "server -- < TLS 1.3 client determined"
6922+ ;;
6923+ "MEDIUM")
6924+ pr_svrty_medium "no (NOT ok)"; out " -- only for TLS 1.3"
6925+ fileout "$jsonID" "MEDIUM" "server -- < TLS 1.3 client determined"
6926+ ;;
6927+ "HIGH")
6928+ pr_svrty_high "no (NOT ok)"; out " -- only for TLS 1.3"
6929+ fileout "$jsonID" "HIGH" "server -- < TLS 1.3 client determined"
6930+ ;;
6931+ "CRITICAL")
6932+ pr_svrty_critical "no (NOT ok)"; out " -- only for TLS 1.3"
6933+ fileout "$jsonID" "CRITICAL" "server -- < TLS 1.3 client determined"
6934+ ;;
6935+ esac
68446936 else
68456937 if "$has_tls13_cipher_order"; then
68466938 if "$TLS13_ONLY"; then
@@ -6857,6 +6949,17 @@ run_server_preference() {
68576949 fileout "$jsonID" "OK" "server"
68586950 fi
68596951 fi
6952+ if [[ -n "$fileout_msg" ]]; then
6953+ case "$fileout_rating" in
6954+ "INFO") out "$terminal_msg" ;;
6955+ "OK") pr_svrty_good "$terminal_msg" ;;
6956+ "LOW") pr_svrty_low "$terminal_msg" ;;
6957+ "MEDIUM") pr_svrty_medium "$terminal_msg" ;;
6958+ "HIGH") pr_svrty_high "$terminal_msg" ;;
6959+ "CRITICAL") pr_svrty_critical "$terminal_msg" ;;
6960+ esac
6961+ fileout "$jsonID" "$fileout_rating" "$fileout_msg"
6962+ fi
68606963 outln
68616964
68626965 pr_bold " Negotiated protocol "
@@ -7361,8 +7464,10 @@ cipher_pref_check() {
73617464 fi
73627465 if "$prioritize_chacha"; then
73637466 outln " (server order -- server prioritizes ChaCha ciphers when preferred by clients)"
7467+ fileout "cipher_order-${proto}" "OK" "server -- server prioritizes ChaCha ciphers when preferred by clients"
73647468 elif [[ -n "$order" ]]; then
73657469 outln " (server order)"
7470+ fileout "cipher_order-${proto}" "OK" "server"
73667471 else
73677472 outln
73687473 fi
@@ -23469,6 +23574,7 @@ reset_hostdepended_vars() {
2346923574 PROTOS_OFFERED=""
2347023575 TLS12_CIPHER_OFFERED=""
2347123576 CURVES_OFFERED=""
23577+ NO_CIPHER_ORDER_LEVEL=5
2347223578 KNOWN_OSSL_PROB=false
2347323579 TLS13_ONLY=false
2347423580 CLIENT_AUTH="none"
0 commit comments