Skip to content

Commit

Permalink
Improve detection of missing SHA2 key exchange
Browse files Browse the repository at this point in the history
  • Loading branch information
@mxsasha
mxsasha committed Dec 9, 2024
1 parent 9bb6c41 commit e9e1fd0
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 3 deletions.
10 changes: 8 additions & 2 deletions checks/tasks/tls/scans.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
from cryptography.x509 import Certificate
from django.conf import settings
from nassl._nassl import OpenSSLError
from nassl.ssl_client import ClientCertificateRequested
from nassl.ssl_client import ClientCertificateRequested, OpenSslDigestNidEnum
from sslyze import (
ScanCommand,
ServerScanRequest,
Expand Down Expand Up @@ -863,9 +863,15 @@ def test_key_exchange_hash(

try:
ssl_connection.connect()
if ssl_connection.ssl_client.get_peer_signature_nid() == OpenSslDigestNidEnum.SHA1:
log.info("Failed SHA2 key exchange check: negotiated SHA1 even when only offering SHA2")
return KeyExchangeHashFunctionEvaluation(
status=KexHashFuncStatus.bad,
score=scoring.WEB_TLS_KEX_HASH_FUNC_BAD,
)
except ClientCertificateRequested:
pass
except (ServerRejectedTlsHandshake, TlsHandshakeTimedOut) as exc:
except (ServerRejectedTlsHandshake, TlsHandshakeTimedOut, OpenSSLError) as exc:
log.info(f"Failed SHA2 key exchange check: {exc}")
return KeyExchangeHashFunctionEvaluation(
status=KexHashFuncStatus.bad,
Expand Down
2 changes: 1 addition & 1 deletion vendor/nassl6
Submodule nassl6 updated 3 files
+15 −0 nassl/_nassl/nassl_SSL.c
+4 −0 nassl/ssl_client.py
+2 −0 tests/ssl_client_test.py

0 comments on commit e9e1fd0

Please sign in to comment.