API upd

mxsasha · mxsasha · commit 84616dbe3988 · 2025-07-22T21:03:22.000+02:00
diff --git a/checks/tasks/tls/scans.py b/checks/tasks/tls/scans.py
@@ -882,7 +882,7 @@ def test_key_exchange_hash(
     phase_out_hash_result = _test_connection_with_limited_sigalgs(
         server_connectivity_info, SIGNATURE_ALGORITHMS_PHASE_OUT_HASH
     )
-    if bad_hash_result:
+    if phase_out_hash_result:
         log.info(f"SHA2 key exchange check: negotiated phase_out hash ({bad_hash_result})")
         return KeyExchangeHashFunctionEvaluation(
             status=KexHashFuncStatus.phase_out,
@@ -912,7 +912,7 @@ def _test_connection_with_limited_sigalgs(
         # OpenSSL will accept this, as it does know about the secure hash.
         if sigalg_nid in sigalgs:
             return sigalg_nid
-    except (ClientCertificateRequested, ServerRejectedTlsHandshake, TlsHandshakeTimedOut, OpenSSLError) as exc:
+    except (ClientCertificateRequested, ServerRejectedTlsHandshake, TlsHandshakeTimedOut, OpenSSLError):
         pass
     finally:
         ssl_connection.close()
diff --git a/interface/batch/openapi.yaml b/interface/batch/openapi.yaml
@@ -680,10 +680,11 @@ components:
           type: string
           enumClass: KexHashFuncStatus
           description: |
-            SHA2 support for signatures of the server:
-            * `bad` - SHA2 is not supported.
-            * `good` - SHA2 is supported.
-            * `unknown` - SHA2 support could not be determined (the server
+            Supported hashes for signatures:
+            * `good` - server supports only good hashes (SHA256 or newer).
+            * `bad` - server supports MD5 or SHA1.
+            * `phase_out` - server supports SHA224.
+            * `unknown` - hash support could not be determined (the server
               uses RSA key exchange or anonymous ciphers).
         zero_rtt:
           type: string
diff --git a/requirements.txt b/requirements.txt
@@ -25,7 +25,9 @@ beautifulsoup4==4.13.3
 billiard==4.2.1
     # via celery
 bleach[css]==5.0.1
-    # via django-bleach
+    # via
+    #   bleach
+    #   django-bleach
 cached-property==2.0.1
     # via -r requirements.in
 celery==5.4.0
@@ -226,6 +228,7 @@ statshog==1.0.6
 tinycss2==1.1.1
     # via bleach
 tls-parser==2.0.1
+    # via -r requirements.in
     # via sslyze
 tomli==2.2.1
     # via
