From 3a5c7b37c5500b719f0fff7be4731e95a28e43ef Mon Sep 17 00:00:00 2001 From: Sasha Romijn Date: Thu, 9 May 2024 14:14:25 +0200 Subject: [PATCH] Add CAMELLIA as sufficient --- checks/tasks/tls/scans.py | 14 ++++++++------ checks/tasks/tls/tls_constants.py | 18 ++++++++++++++++++ 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/checks/tasks/tls/scans.py b/checks/tasks/tls/scans.py index f988445e78..00beb5d023 100644 --- a/checks/tasks/tls/scans.py +++ b/checks/tasks/tls/scans.py @@ -763,11 +763,11 @@ def test_cipher_order( (cipher_evaluation.ciphers_bad, cipher_evaluation.ciphers_phase_out), ] for expected_less_preferred, expected_more_preferred_list in order_tuples: - # Sort CHACHA as later in the list, in case SSL_OP_PRIORITIZE_CHACHA is enabled #461 - expected_less_preferred.sort(key=lambda c: "CHACHA" in c.name) if cipher_order_violation: - print("break out, got bad") break + # Sort CHACHA as later in the list, in case SSL_OP_PRIORITIZE_CHACHA is enabled #461 + expected_less_preferred.sort(key=lambda c: "CHACHA" in c.name) + print(f"checking server pref against: {[s.name for s in expected_more_preferred_list]}") for expected_more_preferred in expected_more_preferred_list: print( f"evaluating less {[s.name for s in expected_less_preferred]} vs " @@ -780,7 +780,7 @@ def test_cipher_order( ) if preferred_suite != expected_more_preferred: cipher_order_violation = [preferred_suite.name, expected_more_preferred.name] - print(f"break out, got bad inner: {cipher_order_violation}") + print(f"break out, got bad order: {cipher_order_violation}") break return TLSCipherOrderEvaluation( @@ -794,7 +794,8 @@ def test_cipher_order( def find_most_preferred_cipher_suite( server_connectivity_info: ServerConnectivityInfo, tls_version: TlsVersionEnum, cipher_suites: List[CipherSuite] ) -> CipherSuite: - suite_names = [suite.openssl_name for suite in cipher_suites] + suite_names = [suite.openssl_name for suite in cipher_suites]# if suite.name == "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"] + suite_names = ["ECDHE-RSA-CHACHA20-POLY1305"] requires_legacy_openssl = True if tls_version == TlsVersionEnum.TLS_1_2: # For TLS 1.2, we need to pick the right version of OpenSSL depending on which cipher suite @@ -807,6 +808,7 @@ def find_most_preferred_cipher_suite( ssl_connection = server_connectivity_info.get_preconfigured_tls_connection( override_tls_version=tls_version, should_use_legacy_openssl=requires_legacy_openssl ) + print(f"{suite_names=}") _set_cipher_suite_string(tls_version, ":".join(suite_names), ssl_connection.ssl_client) try: @@ -823,5 +825,5 @@ def find_most_preferred_cipher_suite( selected_cipher = CipherSuitesRepository.get_cipher_suite_with_openssl_name( tls_version, ssl_connection.ssl_client.get_current_cipher_name() ) - print(f"from CS {suite_names} selected {selected_cipher}") + print(f"from CS {[s.name for s in cipher_suites]} selected {selected_cipher}") return selected_cipher diff --git a/checks/tasks/tls/tls_constants.py b/checks/tasks/tls/tls_constants.py index b62396c767..9dbad4e56c 100644 --- a/checks/tasks/tls/tls_constants.py +++ b/checks/tasks/tls/tls_constants.py @@ -38,6 +38,10 @@ OpenSslEcNidEnum.SECP224R1, ] + + + + # NCSC appendix C, derived from table 2, 6 and 7 CIPHERS_GOOD = [ "TLS_AES_256_GCM_SHA384", @@ -69,6 +73,20 @@ "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", + # CAMELLIA is not in appendix C but is sufficient (footnote 31) + "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", + "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", + "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", + "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", + "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", + "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", + "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384", + "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384", + ] CIPHERS_PHASE_OUT = [ "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",