Skip to content

Commit 0d8511a

Browse files
rbsecrbsec
committed
Changes to the colours of various weaker ciphers/etc. #333 
1 parent 605520e commit 0d8511a

File tree

1 file changed

+31
-13
lines changed

1 file changed

+31
-13
lines changed

sslscan.c

Lines changed: 31 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1500,11 +1500,11 @@ int ssl_print_tmp_key(struct sslCheckOptions *options, SSL *s)
15001500
return 1;
15011501
switch (EVP_PKEY_id(key)) {
15021502
case EVP_PKEY_RSA:
1503-
if (EVP_PKEY_bits(key) <= 768)
1503+
if (EVP_PKEY_bits(key) <= 1024)
15041504
{
15051505
printf(" RSA %s%d%s bits", COL_RED, EVP_PKEY_bits(key), RESET);
15061506
}
1507-
else if (EVP_PKEY_bits(key) <= 1024)
1507+
else if (EVP_PKEY_bits(key) <= 2048)
15081508
{
15091509
printf(" RSA %s%d%s bits", COL_YELLOW, EVP_PKEY_bits(key), RESET);
15101510
}
@@ -1515,11 +1515,11 @@ int ssl_print_tmp_key(struct sslCheckOptions *options, SSL *s)
15151515
break;
15161516

15171517
case EVP_PKEY_DH:
1518-
if (EVP_PKEY_bits(key) <= 768)
1518+
if (EVP_PKEY_bits(key) <= 1024)
15191519
{
15201520
printf(" DHE %s%d%s bits", COL_RED, EVP_PKEY_bits(key), RESET);
15211521
}
1522-
else if (EVP_PKEY_bits(key) <= 1024)
1522+
else if (EVP_PKEY_bits(key) < 2048)
15231523
{
15241524
printf(" DHE %s%d%s bits", COL_YELLOW, EVP_PKEY_bits(key), RESET);
15251525
}
@@ -1639,10 +1639,10 @@ void outputCipher(struct sslCheckOptions *options, SSL *ssl, const char *cleanSs
16391639
printf("%s??%s bits ", COL_YELLOW, RESET);
16401640
} else if (cipherbits == 0) {
16411641
printf("%s%d%s bits ", COL_RED_BG, cipherbits, RESET);
1642+
} else if (cipherbits == 112) {
1643+
printf("%s%d%s bits ", COL_YELLOW, cipherbits, RESET);
16421644
} else if (cipherbits >= 112) {
16431645
printf("%s%d%s bits ", COL_GREEN, cipherbits, RESET);
1644-
} else if (cipherbits > 56) {
1645-
printf("%s%d%s bits ", COL_YELLOW, cipherbits, RESET);
16461646
} else
16471647
printf("%s%d%s bits ", COL_RED, cipherbits, RESET);
16481648

@@ -1666,10 +1666,10 @@ void outputCipher(struct sslCheckOptions *options, SSL *ssl, const char *cleanSs
16661666
strength = "null";
16671667
} else if (strstr(ciphername, "ADH") || strstr(ciphername, "AECDH") || strstr(ciphername, "_anon_")) {
16681668
if (options->ianaNames) {
1669-
printf("%s%-45s%s", COL_PURPLE, ciphername, RESET);
1669+
printf("%s%-45s%s", COL_RED_BG, ciphername, RESET);
16701670
}
16711671
else {
1672-
printf("%s%-29s%s", COL_PURPLE, ciphername, RESET);
1672+
printf("%s%-29s%s", COL_RED_BG, ciphername, RESET);
16731673
}
16741674
strength = "anonymous";
16751675
} else if (strstr(ciphername, "EXP")) {
@@ -1680,6 +1680,15 @@ void outputCipher(struct sslCheckOptions *options, SSL *ssl, const char *cleanSs
16801680
printf("%s%-29s%s", COL_RED, ciphername, RESET);
16811681
}
16821682
strength = "weak";
1683+
} else if (strstr(ciphername, "MD5")) {
1684+
/* SHA-1 isn't really exploitable in the contxt of TLS, but there's no reason to be using it any more */
1685+
if (options->ianaNames) {
1686+
printf("%s%-45s%s", COL_RED, ciphername, RESET);
1687+
}
1688+
else {
1689+
printf("%s%-29s%s", COL_RED, ciphername, RESET);
1690+
}
1691+
strength = "medium";
16831692
} else if (strstr(ciphername, "RC4") || strstr(ciphername, "DES")) {
16841693
if (options->ianaNames) {
16851694
printf("%s%-45s%s", COL_YELLOW, ciphername, RESET);
@@ -1702,18 +1711,18 @@ void outputCipher(struct sslCheckOptions *options, SSL *ssl, const char *cleanSs
17021711
strength = "medium";
17031712
} else if (strstr(ciphername, "_SM4_")) { /* Developed by Chinese government */
17041713
if (options->ianaNames) {
1705-
printf("%s%-45s%s", COL_YELLOW, ciphername, RESET);
1714+
printf("%s%-45s%s", COL_RED, ciphername, RESET);
17061715
}
17071716
else {
1708-
printf("%s%-29s%s", COL_YELLOW, ciphername, RESET);
1717+
printf("%s%-29s%s", COL_RED, ciphername, RESET);
17091718
}
17101719
strength = "medium";
17111720
} else if (strstr(ciphername, "_GOSTR341112_")) { /* Developed by Russian government */
17121721
if (options->ianaNames) {
1713-
printf("%s%-45s%s", COL_YELLOW, ciphername, RESET);
1722+
printf("%s%-45s%s", COL_RED, ciphername, RESET);
17141723
}
17151724
else {
1716-
printf("%s%-29s%s", COL_YELLOW, ciphername, RESET);
1725+
printf("%s%-29s%s", COL_RED, ciphername, RESET);
17171726
}
17181727
strength = "medium";
17191728
} else if ((strstr(ciphername, "CHACHA20") || (strstr(ciphername, "GCM"))) && (strstr(ciphername, "DHE") || (strcmp(cleanSslMethod, "TLSv1.3") == 0))) {
@@ -1724,6 +1733,15 @@ void outputCipher(struct sslCheckOptions *options, SSL *ssl, const char *cleanSs
17241733
printf("%s%-29s%s", COL_GREEN, ciphername, RESET);
17251734
}
17261735
strength = "strong";
1736+
} else if (strstr(ciphername, "SHA") && !(strstr(ciphername, "SHA256") || strstr(ciphername, "SHA384"))) {
1737+
/* SHA-1 isn't really exploitable in the contxt of TLS, but there's no reason to be using it any more */
1738+
if (options->ianaNames) {
1739+
printf("%s%-45s%s", COL_YELLOW, ciphername, RESET);
1740+
}
1741+
else {
1742+
printf("%s%-29s%s", COL_YELLOW, ciphername, RESET);
1743+
}
1744+
strength = "medium";
17271745
} else {
17281746
if (options->ianaNames) {
17291747
printf("%-45s", ciphername);
@@ -2082,7 +2100,7 @@ int checkCertificate(struct sslCheckOptions *options, const SSL_METHOD *sslMetho
20822100

20832101
if (keyBits < 112)
20842102
color = COL_RED;
2085-
else if (keyBits < 128)
2103+
else if (keyBits <= 128)
20862104
color = COL_YELLOW;
20872105

20882106
printf("ECC Curve Name: %s\n", ec_group_name);

0 commit comments

Comments
 (0)