4. A result for BEAST check is made "no" even if CBC cipher mode is not used.
The subroutine _istls 12only returns the protocol names if TLS 1.1 or earlier protocols are used, regardless of cipher mode (and TLS 1.1 is not vulnerable to BEAST as I mentioned above). This behaviour leads the checking result no
I think the subroutine should return string only when necessary check has been skipped.
I wonder that checking for BEAST is wrong because of reasons below.
1. TLS 1.1 is not vulnerable to BEAST
Current code treats it as vulnerable though.
2. A RegEx for checking cipher mode is not valid
https://github.com/OWASP/O-Saft/blob/449e23dd38bcf2fddf6efa529beb6e851da05a4e/osaft.pm#L1738 BEAST occurs when cipher mode is CBC, but
$cfg{'regex'}->{'BEAST'}does not match againt 'CBC'3. A result for BEAST check is made always "no" because of one whitespace
https://github.com/OWASP/O-Saft/blob/449e23dd38bcf2fddf6efa529beb6e851da05a4e/o-saft.pl#L4065
4. A result for BEAST check is made "no" even if CBC cipher mode is not used.
The subroutine
_istls 12onlyreturns the protocol names if TLS 1.1 or earlier protocols are used, regardless of cipher mode (and TLS 1.1 is not vulnerable to BEAST as I mentioned above). This behaviour leads the checking resultnoI think the subroutine should return string only when necessary check has been skipped.