Merge pull request #121 from cosmincojocar/tls

Add a check for PreferServerCipherSuites flag of tls.Config
This commit is contained in:
Grant Murphy 2017-03-15 08:38:07 -07:00 committed by GitHub
commit 5c302fb1b3
2 changed files with 41 additions and 0 deletions

View file

@ -68,6 +68,16 @@ func (t *InsecureConfigTLS) processTlsConfVal(n *ast.KeyValueExpr, c *gas.Contex
return gas.NewIssue(c, n, "TLS InsecureSkipVerify may be true.", gas.High, gas.Low)
}
case "PreferServerCipherSuites":
if node, ok := n.Value.(*ast.Ident); ok {
if node.Name == "false" {
return gas.NewIssue(c, n, "TLS PreferServerCipherSuites set false.", gas.Medium, gas.High)
}
} else {
// TODO(tk): symbol tab look up to get the actual value
return gas.NewIssue(c, n, "TLS PreferServerCipherSuites may be false.", gas.Medium, gas.Low)
}
case "MinVersion":
if ival, ierr := gas.GetInt(n.Value); ierr == nil {
if (int16)(ival) < t.MinVersion {
@ -90,7 +100,9 @@ func (t *InsecureConfigTLS) processTlsConfVal(n *ast.KeyValueExpr, c *gas.Contex
if ret := t.processTlsCipherSuites(n, c); ret != nil {
return ret
}
}
}
return nil
}

View file

@ -138,3 +138,32 @@ func TestInsecureCipherSuite(t *testing.T) {
checkTestResults(t, issues, 1, "TLS Bad Cipher Suite: TLS_RSA_WITH_RC4_128_SHA")
}
func TestPreferServerCipherSuites(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewModernTlsCheck(config))
issues := gasTestRunner(`
package main
import (
"crypto/tls"
"fmt"
"net/http"
)
func main() {
tr := &http.Transport{
TLSClientConfig: &tls.Config{PreferServerCipherSuites: false},
}
client := &http.Client{Transport: tr}
_, err := client.Get("https://golang.org/")
if err != nil {
fmt.Println(err)
}
}
`, analyzer)
checkTestResults(t, issues, 1, "TLS PreferServerCipherSuites set false")
}