include a list of deprecated ciphers in the sslscan result

Allow recording remote deprecated cipher support even if the local OpenSSL library does not support negotiating that cipher.
2015-05-08 18:05:00 -05:00 · 2015-05-08 18:05:00 -05:00 · d3730ae18c
parent d875142468
commit d3730ae18c
2 changed files with 24 additions and 12 deletions
--- a/lib/rex/sslscan/result.rb
+++ b/lib/rex/sslscan/result.rb
@ -15,6 +15,24 @@ class Result
    @cert = nil
    @ciphers = Set.new
    @supported_versions = [:SSLv2, :SSLv3, :TLSv1]
+    @deprecated_weak_ciphers = [
+      'ECDHE-RSA-DES-CBC3-SHA',
+      'ECDHE-ECDSA-DES-CBC3-SHA',
+      'SRP-DSS-3DES-EDE-CBC-SHA',
+      'SRP-RSA-3DES-EDE-CBC-SHA',
+      'SRP-3DES-EDE-CBC-SHA',
+      'EDH-RSA-DES-CBC3-SHA',
+      'EDH-DSS-DES-CBC3-SHA',
+      'ECDH-RSA-DES-CBC3-SHA',
+      'ECDH-ECDSA-DES-CBC3-SHA',
+      'DES-CBC3-SHA',
+      'PSK-3DES-EDE-CBC-SHA',
+      'EXP-EDH-RSA-DES-CBC-SHA',
+      'EXP-EDH-DSS-DES-CBC-SHA',
+      'EXP-DES-CBC-SHA',
+      'EXP-RC2-CBC-MD5',
+      'EXP-RC4-MD5'
+    ]
  end

  def cert
@ -113,7 +131,8 @@ class Result
    unless @supported_versions.include? version
      raise ArgumentError, "Must be a supported SSL Version"
    end
-    unless OpenSSL::SSL::SSLContext.new(version).ciphers.flatten.include? cipher
+    unless OpenSSL::SSL::SSLContext.new(version).ciphers.flatten.include?(cipher) \
+        || @deprecated_weak_ciphers.include?(cipher)
      raise ArgumentError, "Must be a valid SSL Cipher for #{version}!"
    end
    unless key_length.kind_of? Fixnum
--- a/spec/lib/rex/sslscan/result_spec.rb
+++ b/spec/lib/rex/sslscan/result_spec.rb
@ -410,9 +410,7 @@ describe Rex::SSLScan::Result do
  context "checking for weak ciphers" do
    context "when weak ciphers are supported" do
      before(:each) do
-        skip("Fix #5319, deal with system libs not supporting weak ciphers") do
-          subject.add_cipher(:SSLv3, "EXP-RC4-MD5", 40, :accepted)
-        end
+        subject.add_cipher(:SSLv3, "EXP-RC4-MD5", 40, :accepted)
        subject.add_cipher(:SSLv3, "DES-CBC-SHA", 56, :accepted)
      end
      it "should return an array of weak ciphers from #weak_ciphers" do
@ -460,10 +458,8 @@ describe Rex::SSLScan::Result do
    end

    it "should return false if weak ciphers are supported" do
-      skip("Fix #5319, deal with system libs not supporting weak ciphers") do
-        subject.add_cipher(:SSLv3, "EXP-RC2-CBC-MD5", 40, :accepted)
-        subject.standards_compliant?.should == false
-      end
+      subject.add_cipher(:SSLv3, "EXP-RC2-CBC-MD5", 40, :accepted)
+      subject.standards_compliant?.should == false
    end

    it "should return true if SSLv2 and Weak Ciphers are disabled" do
@ -492,10 +488,7 @@ describe Rex::SSLScan::Result do
        subject.add_cipher(:SSLv3, "AES256-SHA", 256, :accepted)
        subject.add_cipher(:TLSv1, "AES256-SHA", 256, :accepted)
        subject.add_cipher(:SSLv3, "AES128-SHA", 128, :accepted)
-
-        skip("Fix #5319, deal with system libs not supporting weak ciphers") do
-          subject.add_cipher(:SSLv3, "EXP-RC2-CBC-MD5", 40, :accepted)
-        end
+        subject.add_cipher(:SSLv3, "EXP-RC2-CBC-MD5", 40, :accepted)

        cert = OpenSSL::X509::Certificate.new
        key = OpenSSL::PKey::RSA.new 2048