From 2810c70163e82776f922112c6800106c1b9b9e67 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Mon, 28 Oct 2019 16:15:38 -0400 Subject: [PATCH] Address comments in #1205 This commit addresses the comments in #1205. If a server only supports TLS 1.3, then it is not considered an issue if the server does not enforce a cipher order. However, if the server does not support a cipher order for TLS 1.2 and below, then that is an issue, even if the server does support a cipher order for TLS 1.3. --- testssl.sh | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/testssl.sh b/testssl.sh index c96bbc6..6f809ad 100755 --- a/testssl.sh +++ b/testssl.sh @@ -6264,8 +6264,14 @@ run_server_preference() { [[ $cipher1 == $cipher2 ]] && has_cipher_order=true fi + debugme echo "has_cipher_order: $has_cipher_order" + debugme echo "has_tls13_cipher_order: $has_tls13_cipher_order" - if ! "$has_cipher_order" && ! "$has_tls13_cipher_order"; then + if "$TLS13_ONLY" && ! "$has_tls13_cipher_order"; then + out "nope" + limitedsense=" (limited sense as client will pick)" + fileout "$jsonID" "INFO" "NOT a cipher order configured" + elif ! "$has_cipher_order" && ! "$has_tls13_cipher_order"; then # server used the different ends (ciphers) from the client hello pr_svrty_high "nope (NOT ok)" limitedsense=" (limited sense as client will pick)" @@ -6274,10 +6280,11 @@ run_server_preference() { pr_svrty_good "yes (OK)"; out " -- only for < TLS 1.3" fileout "$jsonID" "OK" "server -- TLS 1.3 client determined" elif ! "$has_cipher_order" && "$has_tls13_cipher_order"; then - pr_svrty_good "yes (OK)"; out " -- only for TLS 1.3" - fileout "$jsonID" "OK" "server -- < TLS 1.3 client determined" + pr_svrty_high "nope (NOT ok)"; out " -- only for TLS 1.3" + fileout "$jsonID" "HIGH" "server -- < TLS 1.3 client determined" else pr_svrty_best "yes (OK)" + "$has_tls13_cipher_order" && out " -- TLS 1.3 and below" fileout "$jsonID" "OK" "server" fi outln