Skip to content

Commit 4f2f9fa

Browse files
rbsecrbsec
committed
Mark CCM8 ciphers as weak and manually override their display bit strength
1 parent f8f9867 commit 4f2f9fa

File tree

2 files changed

+35
-1
lines changed

2 files changed

+35
-1
lines changed

Changelog

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,19 @@
11
Changelog
22
=========
3+
Version: 2.1.6
4+
Date : 02/12/2024
5+
Author : rbsec <[email protected]>
6+
Changes: The following are a list of changes
7+
> Flag CCM8 ciphers as weak and manually override their displayed
8+
bit strength to match newer versions of OpenSSL
9+
See https://github.com/openssl/openssl/pull/16652
10+
11+
Version: 2.1.5
12+
Date : 21/09/2024
13+
Author : rbsec <[email protected]>
14+
Changes: The following are a list of changes
15+
> Makefile improvements
16+
317
Version: 2.1.4
418
Date : 16/06/2024
519
Author : rbsec <[email protected]>
@@ -11,7 +25,7 @@ Date : 21/01/2024
1125
Author : rbsec <[email protected]>
1226
Changes: The following are a list of changes
1327
> Enable quiet shutdown for scanning (credit jarnfast)
14-
> Fix Docked build on non-x64 architectures (credit jtesta)
28+
> Fix Docker build on non-x64 architectures (credit jtesta)
1529

1630
Version: 2.1.2
1731
Date : 14/11/2023

sslscan.c

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1720,6 +1720,14 @@ void outputCipher(struct sslCheckOptions *options, SSL *ssl, const char *cleanSs
17201720
} else
17211721
printf("%s ", cleanSslMethod);
17221722

1723+
// Short authentication tag length
1724+
// These are flagged as 64 bit strength in newer versions of OpenSSL
1725+
// But in older versions they'll still show as 256 bits, so override that here
1726+
// See https://github.com/openssl/openssl/pull/16652
1727+
if (strstr(ciphername, "CCM8")) {
1728+
cipherbits = 64;
1729+
}
1730+
17231731
if (cipherbits < 10)
17241732
tempInt = 2;
17251733
else if (cipherbits < 100)
@@ -1778,6 +1786,18 @@ void outputCipher(struct sslCheckOptions *options, SSL *ssl, const char *cleanSs
17781786
printf("%s%-29s%s", COL_YELLOW, ciphername, RESET);
17791787
}
17801788
strength = "medium";
1789+
} else if (strstr(ciphername, "CCM8")) {
1790+
// Short authentication tag length
1791+
// These are flagged as 64 bit strength in newer versions of OpenSSL
1792+
// But in older versions they'll still show as 256 bits, so manually flag them here
1793+
// See https://github.com/openssl/openssl/pull/16652
1794+
if (options->ianaNames) {
1795+
printf("%s%-45s%s", COL_YELLOW, ciphername, RESET);
1796+
}
1797+
else {
1798+
printf("%s%-29s%s", COL_YELLOW, ciphername, RESET);
1799+
}
1800+
strength = "medium";
17811801
} else if (strstr(ciphername, "_SM4_")) { /* Developed by Chinese government */
17821802
if (options->ianaNames) {
17831803
printf("%s%-45s%s", COL_YELLOW, ciphername, RESET);

0 commit comments

Comments
 (0)