From 2262f5d474c77aaca985386f16474fb79f8e8329 Mon Sep 17 00:00:00 2001 From: Cosmin Cojocar Date: Wed, 15 Mar 2017 15:05:44 +0100 Subject: [PATCH] Add a check for PreferServerCipherSuites flag of tls.Config --- rules/tls.go | 12 ++++++++++++ rules/tls_test.go | 29 +++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) diff --git a/rules/tls.go b/rules/tls.go index c95fa58..cbcca56 100644 --- a/rules/tls.go +++ b/rules/tls.go @@ -68,6 +68,16 @@ func (t *InsecureConfigTLS) processTlsConfVal(n *ast.KeyValueExpr, c *gas.Contex return gas.NewIssue(c, n, "TLS InsecureSkipVerify may be true.", gas.High, gas.Low) } + case "PreferServerCipherSuites": + if node, ok := n.Value.(*ast.Ident); ok { + if node.Name == "false" { + return gas.NewIssue(c, n, "TLS PreferServerCipherSuites set false.", gas.Medium, gas.High) + } + } else { + // TODO(tk): symbol tab look up to get the actual value + return gas.NewIssue(c, n, "TLS PreferServerCipherSuites may be false.", gas.Medium, gas.Low) + } + case "MinVersion": if ival, ierr := gas.GetInt(n.Value); ierr == nil { if (int16)(ival) < t.MinVersion { @@ -90,7 +100,9 @@ func (t *InsecureConfigTLS) processTlsConfVal(n *ast.KeyValueExpr, c *gas.Contex if ret := t.processTlsCipherSuites(n, c); ret != nil { return ret } + } + } return nil } diff --git a/rules/tls_test.go b/rules/tls_test.go index 7443d4f..9b215a3 100644 --- a/rules/tls_test.go +++ b/rules/tls_test.go @@ -138,3 +138,32 @@ func TestInsecureCipherSuite(t *testing.T) { checkTestResults(t, issues, 1, "TLS Bad Cipher Suite: TLS_RSA_WITH_RC4_128_SHA") } + +func TestPreferServerCipherSuites(t *testing.T) { + config := map[string]interface{}{"ignoreNosec": false} + analyzer := gas.NewAnalyzer(config, nil) + analyzer.AddRule(NewModernTlsCheck(config)) + + issues := gasTestRunner(` + package main + + import ( + "crypto/tls" + "fmt" + "net/http" + ) + + func main() { + tr := &http.Transport{ + TLSClientConfig: &tls.Config{PreferServerCipherSuites: false}, + } + client := &http.Client{Transport: tr} + _, err := client.Get("https://golang.org/") + if err != nil { + fmt.Println(err) + } + } + `, analyzer) + + checkTestResults(t, issues, 1, "TLS PreferServerCipherSuites set false") +}