@@ -1500,11 +1500,11 @@ int ssl_print_tmp_key(struct sslCheckOptions *options, SSL *s)
15001500 return 1 ;
15011501 switch (EVP_PKEY_id (key )) {
15021502 case EVP_PKEY_RSA :
1503- if (EVP_PKEY_bits (key ) <= 768 )
1503+ if (EVP_PKEY_bits (key ) <= 1024 )
15041504 {
15051505 printf (" RSA %s%d%s bits" , COL_RED , EVP_PKEY_bits (key ), RESET );
15061506 }
1507- else if (EVP_PKEY_bits (key ) <= 1024 )
1507+ else if (EVP_PKEY_bits (key ) <= 2048 )
15081508 {
15091509 printf (" RSA %s%d%s bits" , COL_YELLOW , EVP_PKEY_bits (key ), RESET );
15101510 }
@@ -1515,11 +1515,11 @@ int ssl_print_tmp_key(struct sslCheckOptions *options, SSL *s)
15151515 break ;
15161516
15171517 case EVP_PKEY_DH :
1518- if (EVP_PKEY_bits (key ) <= 768 )
1518+ if (EVP_PKEY_bits (key ) <= 1024 )
15191519 {
15201520 printf (" DHE %s%d%s bits" , COL_RED , EVP_PKEY_bits (key ), RESET );
15211521 }
1522- else if (EVP_PKEY_bits (key ) <= 1024 )
1522+ else if (EVP_PKEY_bits (key ) < 2048 )
15231523 {
15241524 printf (" DHE %s%d%s bits" , COL_YELLOW , EVP_PKEY_bits (key ), RESET );
15251525 }
@@ -1639,10 +1639,10 @@ void outputCipher(struct sslCheckOptions *options, SSL *ssl, const char *cleanSs
16391639 printf ("%s??%s bits " , COL_YELLOW , RESET );
16401640 } else if (cipherbits == 0 ) {
16411641 printf ("%s%d%s bits " , COL_RED_BG , cipherbits , RESET );
1642+ } else if (cipherbits == 112 ) {
1643+ printf ("%s%d%s bits " , COL_YELLOW , cipherbits , RESET );
16421644 } else if (cipherbits >= 112 ) {
16431645 printf ("%s%d%s bits " , COL_GREEN , cipherbits , RESET );
1644- } else if (cipherbits > 56 ) {
1645- printf ("%s%d%s bits " , COL_YELLOW , cipherbits , RESET );
16461646 } else
16471647 printf ("%s%d%s bits " , COL_RED , cipherbits , RESET );
16481648
@@ -1666,10 +1666,10 @@ void outputCipher(struct sslCheckOptions *options, SSL *ssl, const char *cleanSs
16661666 strength = "null" ;
16671667 } else if (strstr (ciphername , "ADH" ) || strstr (ciphername , "AECDH" ) || strstr (ciphername , "_anon_" )) {
16681668 if (options -> ianaNames ) {
1669- printf ("%s%-45s%s" , COL_PURPLE , ciphername , RESET );
1669+ printf ("%s%-45s%s" , COL_RED_BG , ciphername , RESET );
16701670 }
16711671 else {
1672- printf ("%s%-29s%s" , COL_PURPLE , ciphername , RESET );
1672+ printf ("%s%-29s%s" , COL_RED_BG , ciphername , RESET );
16731673 }
16741674 strength = "anonymous" ;
16751675 } else if (strstr (ciphername , "EXP" )) {
@@ -1680,6 +1680,15 @@ void outputCipher(struct sslCheckOptions *options, SSL *ssl, const char *cleanSs
16801680 printf ("%s%-29s%s" , COL_RED , ciphername , RESET );
16811681 }
16821682 strength = "weak" ;
1683+ } else if (strstr (ciphername , "MD5" )) {
1684+ /* SHA-1 isn't really exploitable in the contxt of TLS, but there's no reason to be using it any more */
1685+ if (options -> ianaNames ) {
1686+ printf ("%s%-45s%s" , COL_RED , ciphername , RESET );
1687+ }
1688+ else {
1689+ printf ("%s%-29s%s" , COL_RED , ciphername , RESET );
1690+ }
1691+ strength = "medium" ;
16831692 } else if (strstr (ciphername , "RC4" ) || strstr (ciphername , "DES" )) {
16841693 if (options -> ianaNames ) {
16851694 printf ("%s%-45s%s" , COL_YELLOW , ciphername , RESET );
@@ -1702,18 +1711,18 @@ void outputCipher(struct sslCheckOptions *options, SSL *ssl, const char *cleanSs
17021711 strength = "medium" ;
17031712 } else if (strstr (ciphername , "_SM4_" )) { /* Developed by Chinese government */
17041713 if (options -> ianaNames ) {
1705- printf ("%s%-45s%s" , COL_YELLOW , ciphername , RESET );
1714+ printf ("%s%-45s%s" , COL_RED , ciphername , RESET );
17061715 }
17071716 else {
1708- printf ("%s%-29s%s" , COL_YELLOW , ciphername , RESET );
1717+ printf ("%s%-29s%s" , COL_RED , ciphername , RESET );
17091718 }
17101719 strength = "medium" ;
17111720 } else if (strstr (ciphername , "_GOSTR341112_" )) { /* Developed by Russian government */
17121721 if (options -> ianaNames ) {
1713- printf ("%s%-45s%s" , COL_YELLOW , ciphername , RESET );
1722+ printf ("%s%-45s%s" , COL_RED , ciphername , RESET );
17141723 }
17151724 else {
1716- printf ("%s%-29s%s" , COL_YELLOW , ciphername , RESET );
1725+ printf ("%s%-29s%s" , COL_RED , ciphername , RESET );
17171726 }
17181727 strength = "medium" ;
17191728 } else if ((strstr (ciphername , "CHACHA20" ) || (strstr (ciphername , "GCM" ))) && (strstr (ciphername , "DHE" ) || (strcmp (cleanSslMethod , "TLSv1.3" ) == 0 ))) {
@@ -1724,6 +1733,15 @@ void outputCipher(struct sslCheckOptions *options, SSL *ssl, const char *cleanSs
17241733 printf ("%s%-29s%s" , COL_GREEN , ciphername , RESET );
17251734 }
17261735 strength = "strong" ;
1736+ } else if (strstr (ciphername , "SHA" ) && !(strstr (ciphername , "SHA256" ) || strstr (ciphername , "SHA384" ))) {
1737+ /* SHA-1 isn't really exploitable in the contxt of TLS, but there's no reason to be using it any more */
1738+ if (options -> ianaNames ) {
1739+ printf ("%s%-45s%s" , COL_YELLOW , ciphername , RESET );
1740+ }
1741+ else {
1742+ printf ("%s%-29s%s" , COL_YELLOW , ciphername , RESET );
1743+ }
1744+ strength = "medium" ;
17271745 } else {
17281746 if (options -> ianaNames ) {
17291747 printf ("%-45s" , ciphername );
@@ -2082,7 +2100,7 @@ int checkCertificate(struct sslCheckOptions *options, const SSL_METHOD *sslMetho
20822100
20832101 if (keyBits < 112 )
20842102 color = COL_RED ;
2085- else if (keyBits < 128 )
2103+ else if (keyBits <= 128 )
20862104 color = COL_YELLOW ;
20872105
20882106 printf ("ECC Curve Name: %s\n" , ec_group_name );
0 commit comments