it seems EXP and LOW ciphersuits are gone

[tls-check.git] / tls-check
diff --git a/tls-check b/tls-check

index 84ca0094df53a911e9a739d536b388fcb958282d..bb2fc63fb49df50c80ab38be9a73cf708295c421 100755 (executable)
--- a/tls-check
+++ b/tls-check
@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/bin/env python3
  import subprocess, sys, argparse, time, re
  from collections import OrderedDict, namedtuple
  from enum import Enum
  import subprocess, sys, argparse, time, re
  from collections import OrderedDict, namedtuple
  from enum import Enum
@@ -59,7 +59,7 @@ def test_cipher(host, port, protocol, cipher = None, wait_time=0, options=[]):
      try:
          if cipher is not None:
              options = ["-cipher", cipher]+options
      try:
          if cipher is not None:
              options = ["-cipher", cipher]+options
-        subprocess.check_call(["openssl", "s_client", "-"+protocol, "-connect", host+":"+str(port)]+options,
+        subprocess.check_call(["openssl", "s_client", "-"+protocol, "-connect", host+":"+str(port), "-servername", host]+options,
                                stdin=subprocess.DEVNULL, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
      except subprocess.CalledProcessError:
          return False
                                stdin=subprocess.DEVNULL, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
      except subprocess.CalledProcessError:
          return False
@@ -112,13 +112,15 @@ CipherProps = namedtuple('CipherProps', 'bits, strength, isPfs')
  
  class CipherPropsProvider:
      def __init__(self):
  
  class CipherPropsProvider:
      def __init__(self):
-        self.exp = set(list_ciphers("EXP"))
-        self.low = set(list_ciphers("LOW"))
          self.medium = set(list_ciphers("MEDIUM"))
          self.high = set(list_ciphers("HIGH"))
          self.props = {}
      
      def getProps(self, protocol, cipher):
          self.medium = set(list_ciphers("MEDIUM"))
          self.high = set(list_ciphers("HIGH"))
          self.props = {}
      
      def getProps(self, protocol, cipher):
+        # strip the sub-version-number from the protocol
+        pos = protocol.find('_')
+        if pos >= 0:
+            protocol = protocol[:pos]
          # as OpenSSL about this cipher
          cipherInfo = subprocess.check_output(["openssl", "ciphers", "-v", "-"+protocol, cipher]).decode('UTF-8').strip()
          assert '\n' not in cipherInfo, "Cipher "+cipher+" produced unexpected output:\n"+cipherInfo
          # as OpenSSL about this cipher
          cipherInfo = subprocess.check_output(["openssl", "ciphers", "-v", "-"+protocol, cipher]).decode('UTF-8').strip()
          assert '\n' not in cipherInfo, "Cipher "+cipher+" produced unexpected output:\n"+cipherInfo
@@ -139,16 +141,10 @@ class CipherPropsProvider:
          kx = kxMatch.group(1)
          isPfs = kx in ('DH', 'DH(512)', 'ECDH')
          # determine security level
          kx = kxMatch.group(1)
          isPfs = kx in ('DH', 'DH(512)', 'ECDH')
          # determine security level
-        isExp = cipher in self.exp
-        isLow = cipher in self.low
          isMedium = cipher in self.medium
          isHigh = cipher in self.high
          isMedium = cipher in self.medium
          isHigh = cipher in self.high
-        assert isExp+isLow+isMedium+isHigh <= 1, "Cipher "+cipher+" is more than one from EXP, LOW, MEDIUM, HIGH"
-        if isExp:
-            strength = CipherStrength.exp
-        elif isLow:
-            strength = CipherStrength.low
-        elif isMedium:
+        assert isMedium+isHigh <= 1, "Cipher "+cipher+" is more than one from EXP, LOW, MEDIUM, HIGH"
+        if isMedium:
              strength = CipherStrength.medium
          elif isHigh:
              strength = CipherStrength.high
              strength = CipherStrength.medium
          elif isHigh:
              strength = CipherStrength.high