def test_right_order_2(self):
a = ["a", "b", "c", "d"]
s = ["a", "c"]
res = utils.check_cipher_order(a, s)
self.assertTrue(res)
res = utils.check_cipher_order(s, a)
self.assertFalse(res)
def _check_cipher_suites_and_order(self, target_profile: Dict) -> List[str]:
errors = []
# match supported cipher suite order for each supported protocol
all_supported_ciphers = []
for protocol, supported_ciphers in self.supported_ciphers.items():
all_supported_ciphers.extend(supported_ciphers)
if protocol in self.supported_protocols:
allowed_ciphers = target_profile["ciphers"]["openssl"]
# check if the server chooses the cipher suite
if (
target_profile["server_preferred_order"]
and not self.server_preferred_order[protocol]
):
errors.append(
f"Server must choose the cipher suite, not the client (Protocol {protocol})"
)
# check if the client chooses the cipher suite
if (
not target_profile["server_preferred_order"]
and self.server_preferred_order[protocol]
):
errors.append(
f"Client must choose the cipher suite, not the server (Protocol {protocol})"
)
# check whether the servers preferred cipher suite preference is correct
if (
target_profile["server_preferred_order"]
and self.server_preferred_order[protocol]
and not utils.check_cipher_order(allowed_ciphers, supported_ciphers)
):
# TODO wait for sslyze 3.1.1
errors.append(
f"Server has the wrong cipher suites order (Protocol {protocol})"
)
# find cipher suites that should not be supported
allowed_ciphers = (
target_profile["ciphersuites"] + target_profile["ciphers"]["openssl"]
)
illegal_ciphers = set(all_supported_ciphers) - set(allowed_ciphers)
for cipher in illegal_ciphers:
errors.append(f"Must not support {cipher}")
# Determine the certificate type to check which
# ciphers can be supported.
certificate = self.certificate_obj.received_certificate_chain[0]
pub_key_type = utils.cert_type_string(certificate.public_key())
# find missing cipher suites
missing_ciphers = set(allowed_ciphers) - set(all_supported_ciphers)
for cipher in missing_ciphers:
if utils.check_pub_key_supports_cipher(cipher, pub_key_type):
errors.append(f"Must support {cipher}")
return errors
def _check_cipher_suites_and_order(self, pub_key_type: str) -> List[str]:
errors = []
# match supported cipher suite order for each supported protocol
all_supported_ciphers = []
for protocol, supported_ciphers in self.supported_ciphers.items():
all_supported_ciphers.extend(supported_ciphers)
if protocol in self.supported_protocols:
allowed_ciphers = self.target_profile["ciphers"]["openssl"]
# check if the server chooses the cipher suite
if (self.target_profile["server_preferred_order"]
and not self.server_preferred_order[protocol]):
errors.append(
f"Server must choose the cipher suite, not the client (Protocol {protocol})"
)
# check if the client chooses the cipher suite
if (not self.target_profile["server_preferred_order"]
and self.server_preferred_order[protocol]):
errors.append(
f"Client must choose the cipher suite, not the server (Protocol {protocol})"
)
# check whether the servers preferred cipher suite preference is correct
if (self.target_profile["server_preferred_order"]
and self.server_preferred_order[protocol]
and not utils.check_cipher_order(
allowed_ciphers, supported_ciphers)):
# TODO wait for sslyze 3.1.1
errors.append(
f"Server has the wrong cipher suites order (Protocol {protocol})"
)
# find cipher suites that should not be supported
allowed_ciphers = (self.target_profile["ciphersuites"] +
self.target_profile["ciphers"]["openssl"])
illegal_ciphers = set(all_supported_ciphers) - set(allowed_ciphers)
for cipher in illegal_ciphers:
errors.append(f"Must not support {cipher}")
# find missing cipher suites
missing_ciphers = set(allowed_ciphers) - set(all_supported_ciphers)
for cipher in missing_ciphers:
if self._check_pub_key_supports_cipher(cipher, pub_key_type):
errors.append(f"Must support {cipher}")
return errors
def test_empty_input(self):
a = []
s = []
res = utils.check_cipher_order(a, s)
self.assertTrue(res)
def test_empty_s_list(self):
a = ["a", "b", "c", "d"]
s = []
res = utils.check_cipher_order(a, s)
self.assertTrue(res)
def test_wrong_order_2(self):
a = ["a", "b", "c", "d"]
s = ["a", "d", "c"]
res = utils.check_cipher_order(a, s)
self.assertFalse(res)