CBC ciphers not detected

[niall-san]

I am trying to run O-Saft against an application to assess whether it supports CBC ciphers; however, it does not appear to be detecting them correctly. I have run it against cbc.badssl.com, which supports CBC ciphers and is reported to by other SSL analysis tools, such as testssl.sh.

./o-saft.pl +cbc cbc.badssl.com:443
**WARNING: 409: SSLv2 does not support SNI; cipher checks are done without SNI
**WARNING: 409: SSLv3 does not support SNI; cipher checks are done without SNI
**WARNING: 203: connection without SNI succeded with errors; errors ignored
!!Hint: use '--v' to show more information about SSLinfo::do_ssl_open() errors
!!Hint: TLSv1.3 did not return ciphers, consider using '+hastls10_old' and '+hastls10_old'
Target does not accept CBC ciphers:     yes

My version of O-Saft is the latest version cloned from this repository:

grep 'SID_main ' o-saft.pl
our $SID_main   = "@(#) o-saft.pl 3.96 24/07/30 12:01:20"; # version of this file

[kylak]

Maybe this yes means yes it does accept CBC ciphers ?

[niall-san]

That's what I thought might be happening as the message is a double negative. It would need to be run against a host that doesn't support CBC ciphers in order to check. The tool also doesn't output the identified ciphers, so its hard to know what the result means.

[EnDe]

no, yes is the answer to the label Target does not accept CBC ciphers

now fixed in o-saft.pl. (list of reported CBC may contain duplicates, will be fixed later)

[EnDe]

The tool also doesn't output the identified ciphers, so its hard to know what the result means.

If the anwser is no the detected CBC ciphers are reported. I guess this is what you expect.

The idea behind yes vs. no is, that in an ideal world you would get yes only and to all checks, then you have a simple to read (and simple to parse) output. Anything else with no is a questionable result and needs human verification. See ./o-saft.pl --help=result Does this make sense?

[niall-san]

I can confirm that this has fixed it.