From d3730ae18c6a4fdbd8772e208caf34ddcdc45357 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Fri, 8 May 2015 18:05:00 -0500 Subject: [PATCH] include a list of deprecated ciphers in the sslscan result Allow recording remote deprecated cipher support even if the local OpenSSL library does not support negotiating that cipher. --- lib/rex/sslscan/result.rb | 21 ++++++++++++++++++++- spec/lib/rex/sslscan/result_spec.rb | 15 ++++----------- 2 files changed, 24 insertions(+), 12 deletions(-) diff --git a/lib/rex/sslscan/result.rb b/lib/rex/sslscan/result.rb index 01f6052c26..b905b89250 100644 --- a/lib/rex/sslscan/result.rb +++ b/lib/rex/sslscan/result.rb @@ -15,6 +15,24 @@ class Result @cert = nil @ciphers = Set.new @supported_versions = [:SSLv2, :SSLv3, :TLSv1] + @deprecated_weak_ciphers = [ + 'ECDHE-RSA-DES-CBC3-SHA', + 'ECDHE-ECDSA-DES-CBC3-SHA', + 'SRP-DSS-3DES-EDE-CBC-SHA', + 'SRP-RSA-3DES-EDE-CBC-SHA', + 'SRP-3DES-EDE-CBC-SHA', + 'EDH-RSA-DES-CBC3-SHA', + 'EDH-DSS-DES-CBC3-SHA', + 'ECDH-RSA-DES-CBC3-SHA', + 'ECDH-ECDSA-DES-CBC3-SHA', + 'DES-CBC3-SHA', + 'PSK-3DES-EDE-CBC-SHA', + 'EXP-EDH-RSA-DES-CBC-SHA', + 'EXP-EDH-DSS-DES-CBC-SHA', + 'EXP-DES-CBC-SHA', + 'EXP-RC2-CBC-MD5', + 'EXP-RC4-MD5' + ] end def cert @@ -113,7 +131,8 @@ class Result unless @supported_versions.include? version raise ArgumentError, "Must be a supported SSL Version" end - unless OpenSSL::SSL::SSLContext.new(version).ciphers.flatten.include? cipher + unless OpenSSL::SSL::SSLContext.new(version).ciphers.flatten.include?(cipher) \ + || @deprecated_weak_ciphers.include?(cipher) raise ArgumentError, "Must be a valid SSL Cipher for #{version}!" end unless key_length.kind_of? Fixnum diff --git a/spec/lib/rex/sslscan/result_spec.rb b/spec/lib/rex/sslscan/result_spec.rb index fe505c2cca..e2d66d4ce4 100644 --- a/spec/lib/rex/sslscan/result_spec.rb +++ b/spec/lib/rex/sslscan/result_spec.rb @@ -410,9 +410,7 @@ describe Rex::SSLScan::Result do context "checking for weak ciphers" do context "when weak ciphers are supported" do before(:each) do - skip("Fix #5319, deal with system libs not supporting weak ciphers") do - subject.add_cipher(:SSLv3, "EXP-RC4-MD5", 40, :accepted) - end + subject.add_cipher(:SSLv3, "EXP-RC4-MD5", 40, :accepted) subject.add_cipher(:SSLv3, "DES-CBC-SHA", 56, :accepted) end it "should return an array of weak ciphers from #weak_ciphers" do @@ -460,10 +458,8 @@ describe Rex::SSLScan::Result do end it "should return false if weak ciphers are supported" do - skip("Fix #5319, deal with system libs not supporting weak ciphers") do - subject.add_cipher(:SSLv3, "EXP-RC2-CBC-MD5", 40, :accepted) - subject.standards_compliant?.should == false - end + subject.add_cipher(:SSLv3, "EXP-RC2-CBC-MD5", 40, :accepted) + subject.standards_compliant?.should == false end it "should return true if SSLv2 and Weak Ciphers are disabled" do @@ -492,10 +488,7 @@ describe Rex::SSLScan::Result do subject.add_cipher(:SSLv3, "AES256-SHA", 256, :accepted) subject.add_cipher(:TLSv1, "AES256-SHA", 256, :accepted) subject.add_cipher(:SSLv3, "AES128-SHA", 128, :accepted) - - skip("Fix #5319, deal with system libs not supporting weak ciphers") do - subject.add_cipher(:SSLv3, "EXP-RC2-CBC-MD5", 40, :accepted) - end + subject.add_cipher(:SSLv3, "EXP-RC2-CBC-MD5", 40, :accepted) cert = OpenSSL::X509::Certificate.new key = OpenSSL::PKey::RSA.new 2048