Add CAMELLIA as sufficient

checks/tasks/tls/scans.py

@@ -763,11 +763,11 @@ def test_cipher_order(
         (cipher_evaluation.ciphers_bad, cipher_evaluation.ciphers_phase_out),
     ]
     for expected_less_preferred, expected_more_preferred_list in order_tuples:
-        # Sort CHACHA as later in the list, in case SSL_OP_PRIORITIZE_CHACHA is enabled #461
-        expected_less_preferred.sort(key=lambda c: "CHACHA" in c.name)
         if cipher_order_violation:
-            print("break out, got bad")
             break
+        # Sort CHACHA as later in the list, in case SSL_OP_PRIORITIZE_CHACHA is enabled #461
+        expected_less_preferred.sort(key=lambda c: "CHACHA" in c.name)
+        print(f"checking server pref against: {[s.name for s in expected_more_preferred_list]}")
         for expected_more_preferred in expected_more_preferred_list:
             print(
                 f"evaluating less {[s.name for s in expected_less_preferred]} vs "
@@ -780,7 +780,7 @@ def test_cipher_order(
             )
             if preferred_suite != expected_more_preferred:
                 cipher_order_violation = [preferred_suite.name, expected_more_preferred.name]
-                print(f"break out, got bad inner: {cipher_order_violation}")
+                print(f"break out, got bad order: {cipher_order_violation}")
                 break
 
     return TLSCipherOrderEvaluation(
@@ -794,7 +794,8 @@ def test_cipher_order(
 def find_most_preferred_cipher_suite(
     server_connectivity_info: ServerConnectivityInfo, tls_version: TlsVersionEnum, cipher_suites: List[CipherSuite]
 ) -> CipherSuite:
-    suite_names = [suite.openssl_name for suite in cipher_suites]
+    suite_names = [suite.openssl_name for suite in cipher_suites]# if suite.name == "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"]
+    suite_names = ["ECDHE-RSA-CHACHA20-POLY1305"]
     requires_legacy_openssl = True
     if tls_version == TlsVersionEnum.TLS_1_2:
         # For TLS 1.2, we need to pick the right version of OpenSSL depending on which cipher suite
@@ -807,6 +808,7 @@ def find_most_preferred_cipher_suite(
     ssl_connection = server_connectivity_info.get_preconfigured_tls_connection(
         override_tls_version=tls_version, should_use_legacy_openssl=requires_legacy_openssl
     )
+    print(f"{suite_names=}")
     _set_cipher_suite_string(tls_version, ":".join(suite_names), ssl_connection.ssl_client)
 
     try:
@@ -823,5 +825,5 @@ def find_most_preferred_cipher_suite(
     selected_cipher = CipherSuitesRepository.get_cipher_suite_with_openssl_name(
         tls_version, ssl_connection.ssl_client.get_current_cipher_name()
     )
-    print(f"from CS {suite_names} selected {selected_cipher}")
+    print(f"from CS {[s.name for s in cipher_suites]} selected {selected_cipher}")
     return selected_cipher

checks/tasks/tls/tls_constants.py

@@ -38,6 +38,10 @@
     OpenSslEcNidEnum.SECP224R1,
 ]
 
+
+
+
+
 # NCSC appendix C, derived from table 2, 6 and 7
 CIPHERS_GOOD = [
     "TLS_AES_256_GCM_SHA384",
@@ -69,6 +73,20 @@
     "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
     "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
     "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
+    # CAMELLIA is not in appendix C but is sufficient (footnote 31)
+    "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
+    "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+    "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
+    "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+    "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
+    "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+    "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
+    "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+    "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256",
+    "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",
+    "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+    "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384",
+
 ]
 CIPHERS_PHASE_OUT = [
     "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",