From ab3b4c6934520791ed0d88ef144029e86a032e5f Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sun, 27 Jul 2014 12:31:10 +0200 Subject: [PATCH 1/1] Give a more accurate effective key size for 3DES --- tls-check | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/tls-check b/tls-check index 5e8e19e..5de58e4 100755 --- a/tls-check +++ b/tls-check @@ -124,10 +124,14 @@ class CipherPropsProvider: assert '\n' not in cipherInfo cipherInfoFields = cipherInfo.split() # get # of bits - bitMatch = re.match(r'^Enc=[0-9A-Za-z]+\(([0-9]+)\)$', cipherInfoFields[4]) - if bitMatch is None: + encMatch = re.match(r'^Enc=([0-9A-Za-z]+)\(([0-9]+)\)$', cipherInfoFields[4]) + if encMatch is None: raise Exception("Unexpected OpenSSL output: Cannot determine encryption strength from {1}\nComplete output: {0}".format(cipherInfo, cipherInfoFields[4])) - bits = int(bitMatch.group(1)) + encCipher = encMatch.group(1) + bits = int(encMatch.group(2)) + if encCipher == '3DES': + # OpenSSL gives the key size, which however for 3DES is a totally bad estimate + bits = int(bits*2/3) # figure out whether the cipher is pfs kxMatch = re.match(r'^Kx=([0-9A-Z/()]+)$', cipherInfoFields[2]) if kxMatch is None: @@ -198,6 +202,6 @@ if __name__ == "__main__": if supported: cipherProps = propsProvider.getProps(cipher) fsText = ConsoleFormat.color("FS", ConsoleFormat.GREEN) if cipherProps.isPfs else ConsoleFormat.color("no FS", ConsoleFormat.RED) - bitColor = ConsoleFormat.GREEN if cipherProps.bits > 128 else (ConsoleFormat.YELLOW if cipherProps.bits >= 100 else ConsoleFormat.RED) + bitColor = ConsoleFormat.GREEN if cipherProps.bits >= 128 else (ConsoleFormat.YELLOW if cipherProps.bits >= 100 else ConsoleFormat.RED) print(" {0} ({1}, {2}, {3})".format(cipher.ljust(STATE_WIDTH), cipherProps.strength.colorName(), ConsoleFormat.color(str(cipherProps.bits)+" bits", bitColor), fsText)) print() -- 2.30.2