Update client initiated renegotiation limits, incl DB changes for 3 states now, also requires new labels see categories.py

Author: mxsasha

checks/categories.py

@@ -3,6 +3,7 @@
 from typing import Optional
 
 from checks import scoring
+from checks.models import TLSClientInitiatedRenegotiationStatus
 from checks.scoring import (
     ORDERED_STATUSES,
     STATUS_ERROR,
@@ -1183,14 +1184,27 @@ def __init__(self):
             model_score_field="client_reneg_score",
         )
 
-    def result_good(self):
+    def save_result(self, status: TLSClientInitiatedRenegotiationStatus):
+        handlers = {
+            TLSClientInitiatedRenegotiationStatus.not_allowed: self.result_not_allowed,
+            TLSClientInitiatedRenegotiationStatus.allowed_with_low_limit: self.result_allowed_with_low_limit,
+            TLSClientInitiatedRenegotiationStatus.allowed_with_too_high_limit: self.result_allowed_with_too_high_limit,
+        }
+        return handlers[status]()
+
+    def result_not_allowed(self):
         self._status(STATUS_SUCCESS)
-        self.verdict = "detail web tls renegotiation-client verdict good"
+        self.verdict = "detail web tls renegotiation-client verdict not-allowed"
         self.tech_data = "detail tech data no"
 
-    def result_bad(self):
+    def result_allowed_with_low_limit(self):
+        self._status(STATUS_INFO)
+        self.verdict = "detail web tls renegotiation-client verdict allowed-with-low-limit"
+        self.tech_data = "detail tech data phase-out"
+
+    def result_allowed_with_too_high_limit(self):
         self._status(STATUS_FAIL)
-        self.verdict = "detail web tls renegotiation-client verdict bad"
+        self.verdict = "detail web tls renegotiation-client verdict allowed-with-too-high-limit"
         self.tech_data = "detail tech data yes"
 
 

checks/migrations/0019_domaintesttls_client_reneg_to_enum.py

@@ -0,0 +1,56 @@
+# Generated by Django 4.2.22 on 2025-07-22 18:17
+from enum import Enum
+
+import checks.models
+from django.db import migrations
+import enumfields.fields
+
+
+class TLSClientInitiatedRenegotiationStatus(Enum):
+    not_allowed = 1
+    allowed_with_low_limit = 2
+    allowed_with_too_high_limit = 3
+
+
+def set_client_reneg_new(apps, schema_editor):
+    DomainTestTls = apps.get_model("checks", "DomainTestTls")
+    DomainTestTls.object.update(client_reneg_new=TLSClientInitiatedRenegotiationStatus.not_allowed)
+    DomainTestTls.object.filter(dtls__client_reneg=True).update(
+        client_reneg_new=TLSClientInitiatedRenegotiationStatus.allowed_with_too_high_limit
+    )
+
+
+def set_client_reneg_old(apps, schema_editor):
+    DomainTestTls = apps.get_model("checks", "DomainTestTls")
+    DomainTestTls.object.update(client_reneg=False)
+    DomainTestTls.object.filter(
+        client_reneg_new=TLSClientInitiatedRenegotiationStatus.allowed_with_too_high_limit
+    ).update(client_reneg=True)
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("checks", "0018_domaintesttls_caa_records"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="domaintesttls",
+            name="client_reneg_new",
+            field=enumfields.fields.EnumField(
+                enum=checks.models.TLSClientInitiatedRenegotiationStatus,
+                max_length=10,
+                null=True,
+            ),
+        ),
+        migrations.RunPython(set_client_reneg_new, set_client_reneg_old),
+        migrations.RemoveField(
+            model_name="domaintesttls",
+            name="client_reneg",
+        ),
+        migrations.RenameField(
+            model_name="domaintesttls",
+            old_name="client_reneg_new",
+            new_name="client_reneg",
+        ),
+    ]

checks/models.py

@@ -89,6 +89,12 @@ class OcspStatus(Enum):
     not_in_cert = 3
 
 
+class TLSClientInitiatedRenegotiationStatus(Enum):
+    not_allowed = 1
+    allowed_with_low_limit = 2
+    allowed_with_too_high_limit = 3
+
+
 class ZeroRttStatus(Enum):
     bad = 0
     good = 1
@@ -524,7 +530,7 @@ class DomainTestTls(BaseTestModel):
     compression_score = models.IntegerField(null=True)
     secure_reneg = models.BooleanField(null=True, default=False)
     secure_reneg_score = models.IntegerField(null=True)
-    client_reneg = models.BooleanField(null=True, default=False)
+    client_reneg = EnumField(TLSClientInitiatedRenegotiationStatus, null=True)
     client_reneg_score = models.IntegerField(null=True)
 
     zero_rtt = EnumField(ZeroRttStatus, default=ZeroRttStatus.bad)

checks/scoring.py

@@ -144,6 +144,7 @@
 WEB_TLS_SECURE_RENEG_WORST_STATUS = STATUS_FAIL
 
 WEB_TLS_CLIENT_RENEG_GOOD = FULL_WEIGHT_POINTS
+WEB_TLS_CLIENT_RENEG_OK = FULL_WEIGHT_POINTS
 WEB_TLS_CLIENT_RENEG_BAD = NO_POINTS
 WEB_TLS_CLIENT_RENEG_WORST_STATUS = STATUS_INFO
 

checks/tasks/tls/evaluation.py

@@ -4,11 +4,23 @@
 from cryptography.hazmat._oid import AuthorityInformationAccessOID, ExtensionOID
 from cryptography.x509 import AuthorityInformationAccess, ExtensionNotFound
 from nassl.ephemeral_key_info import EcDhEphemeralKeyInfo, DhEphemeralKeyInfo, OpenSslEvpPkeyEnum
-from sslyze import TlsVersionEnum, CipherSuiteAcceptedByServer, CipherSuite, CertificateDeploymentAnalysisResult
+from sslyze import (
+    TlsVersionEnum,
+    CipherSuiteAcceptedByServer,
+    CipherSuite,
+    CertificateDeploymentAnalysisResult,
+    SessionRenegotiationScanResult,
+)
 from sslyze.plugins.openssl_cipher_suites.cipher_suites import _TLS_1_3_CIPHER_SUITES
 
 from checks import scoring
-from checks.models import KexHashFuncStatus, CipherOrderStatus, OcspStatus, KexRSAPKCSStatus
+from checks.models import (
+    KexHashFuncStatus,
+    CipherOrderStatus,
+    OcspStatus,
+    KexRSAPKCSStatus,
+    TLSClientInitiatedRenegotiationStatus,
+)
 from checks.tasks.tls.tls_constants import (
     PROTOCOLS_GOOD,
     PROTOCOLS_SUFFICIENT,
@@ -244,6 +256,57 @@ def score(self) -> scoring.Score:
         )
 
 
+@dataclass(frozen=True)
+class TLSRenegotiationEvaluation:
+    """
+    Evaluate the secure renegotiation settings per NCSC 3.4.2
+    """
+
+    supports_secure_renegotiation: bool
+    client_renegotiations_success_count: int
+
+    # What counts as "limited" per NCSC 3.4.2
+    MAX_SECURE_RENEG_ATTEMPTS = 10
+    # The number of attempts the scan should make
+    SCAN_RENEGOTIATION_LIMIT = MAX_SECURE_RENEG_ATTEMPTS + 1
+
+    @classmethod
+    def from_session_renegotiation_scan_result(cls, session_renegotiation_scan_result: SessionRenegotiationScanResult):
+        return cls(
+            supports_secure_renegotiation=session_renegotiation_scan_result.supports_secure_renegotiation,
+            client_renegotiations_success_count=session_renegotiation_scan_result.client_renegotiations_success_count,
+        )
+
+    @property
+    def status_secure_renegotiation(self) -> bool:
+        return self.supports_secure_renegotiation
+
+    @property
+    def status_client_initiated_renegotiation(self) -> TLSClientInitiatedRenegotiationStatus:
+        if not self.client_renegotiations_success_count:
+            return TLSClientInitiatedRenegotiationStatus.not_allowed
+        if self.client_renegotiations_success_count <= self.MAX_SECURE_RENEG_ATTEMPTS:
+            return TLSClientInitiatedRenegotiationStatus.allowed_with_low_limit
+        return TLSClientInitiatedRenegotiationStatus.allowed_with_too_high_limit
+
+    @property
+    def score_secure_renegotiation(self) -> scoring.Score:
+        return (
+            scoring.WEB_TLS_SECURE_RENEG_GOOD
+            if self.supports_secure_renegotiation
+            else scoring.WEB_TLS_SECURE_RENEG_BAD
+        )
+
+    @property
+    def score_client_initiated_renegotiation(self) -> scoring.Score:
+        scores = {
+            TLSClientInitiatedRenegotiationStatus.not_allowed: scoring.WEB_TLS_CLIENT_RENEG_GOOD,
+            TLSClientInitiatedRenegotiationStatus.allowed_with_low_limit: scoring.WEB_TLS_CLIENT_RENEG_OK,
+            TLSClientInitiatedRenegotiationStatus.allowed_with_too_high_limit: scoring.WEB_TLS_CLIENT_RENEG_BAD,
+        }
+        return scores[self.status_client_initiated_renegotiation]
+
+
 @dataclass(frozen=True)
 class KeyExchangeRSAPKCSFunctionEvaluation:
     """

checks/tasks/tls/scans.py

@@ -73,6 +73,7 @@
     TLSCipherOrderEvaluation,
     TLSOCSPEvaluation,
     KeyExchangeRSAPKCSFunctionEvaluation,
+    TLSRenegotiationEvaluation,
 )
 from checks.tasks.tls.tls_constants import (
     CERT_SIGALG_GOOD,
@@ -621,6 +622,9 @@ def check_mail_tls(result: ServerScanResult, all_suites: List[CipherSuitesScanAt
     key_exchange_rsa_pkcs_evaluation = test_key_exchange_rsa_pkcs(server_conn_info)
     key_exchange_hash_evaluation = test_key_exchange_hash(server_conn_info)
 
+    renegotiation_evaluation = TLSRenegotiationEvaluation.from_session_renegotiation_scan_result(
+        result.scan_result.session_renegotiation.result
+    )
     cert_results = cert_checks(result.server_location.hostname, ChecksMode.MAIL)
 
     # HACK for DANE-TA(2) and hostname mismatch!
@@ -642,18 +646,10 @@ def check_mail_tls(result: ServerScanResult, all_suites: List[CipherSuitesScanAt
         cipher_order_score=cipher_order_evaluation.score,
         cipher_order=cipher_order_evaluation.status,
         cipher_order_violation=cipher_order_evaluation.violation,
-        secure_reneg=result.scan_result.session_renegotiation.result.supports_secure_renegotiation,
-        secure_reneg_score=(
-            scoring.WEB_TLS_SECURE_RENEG_GOOD
-            if result.scan_result.session_renegotiation.result.supports_secure_renegotiation
-            else scoring.WEB_TLS_SECURE_RENEG_BAD
-        ),
-        client_reneg=result.scan_result.session_renegotiation.result.is_vulnerable_to_client_renegotiation_dos,
-        client_reneg_score=(
-            scoring.WEB_TLS_CLIENT_RENEG_BAD
-            if result.scan_result.session_renegotiation.result.is_vulnerable_to_client_renegotiation_dos
-            else scoring.WEB_TLS_CLIENT_RENEG_GOOD
-        ),
+        secure_reneg=renegotiation_evaluation.status_secure_renegotiation,
+        secure_reneg_score=renegotiation_evaluation.score_secure_renegotiation,
+        client_reneg=renegotiation_evaluation.status_client_initiated_renegotiation,
+        client_reneg_score=renegotiation_evaluation.score_client_initiated_renegotiation,
         compression=result.scan_result.tls_compression.result.supports_compression
         if result.scan_result.tls_compression.result
         else None,
@@ -750,6 +746,9 @@ def check_web_tls(url, af_ip_pair=None, *args, **kwargs):
     )
     key_exchange_rsa_pkcs_evaluation = test_key_exchange_rsa_pkcs(server_conn_info)
     key_exchange_hash_evaluation = test_key_exchange_hash(server_conn_info)
+    renegotiation_evaluation = TLSRenegotiationEvaluation.from_session_renegotiation_scan_result(
+        result.scan_result.session_renegotiation.result
+    )
 
     ocsp_evaluation = TLSOCSPEvaluation.from_certificate_deployments(
         result.scan_result.certificate_info.result.certificate_deployments[0]
@@ -768,18 +767,10 @@ def check_web_tls(url, af_ip_pair=None, *args, **kwargs):
         cipher_order_score=cipher_order_evaluation.score,
         cipher_order=cipher_order_evaluation.status,
         cipher_order_violation=cipher_order_evaluation.violation,
-        secure_reneg=result.scan_result.session_renegotiation.result.supports_secure_renegotiation,
-        secure_reneg_score=(
-            scoring.WEB_TLS_SECURE_RENEG_GOOD
-            if result.scan_result.session_renegotiation.result.supports_secure_renegotiation
-            else scoring.WEB_TLS_SECURE_RENEG_BAD
-        ),
-        client_reneg=result.scan_result.session_renegotiation.result.is_vulnerable_to_client_renegotiation_dos,
-        client_reneg_score=(
-            scoring.WEB_TLS_CLIENT_RENEG_BAD
-            if result.scan_result.session_renegotiation.result.is_vulnerable_to_client_renegotiation_dos
-            else scoring.WEB_TLS_CLIENT_RENEG_GOOD
-        ),
+        secure_reneg=renegotiation_evaluation.status_secure_renegotiation,
+        secure_reneg_score=renegotiation_evaluation.score_secure_renegotiation,
+        client_reneg=renegotiation_evaluation.status_client_initiated_renegotiation,
+        client_reneg_score=renegotiation_evaluation.score_client_initiated_renegotiation,
         compression=result.scan_result.tls_compression.result.supports_compression,
         compression_score=(
             scoring.WEB_TLS_COMPRESSION_BAD
@@ -820,7 +811,10 @@ def run_sslyze(
     This threading is handled inside sslyze.
     """
     log.debug(f"starting sslyze scan for {[scan.server_location for scan in scans]}")
-    scanner = Scanner(per_server_concurrent_connections_limit=connection_limit, concurrent_server_scans_limit=10)
+    scanner = Scanner(
+        per_server_concurrent_connections_limit=connection_limit,
+        concurrent_server_scans_limit=TLSRenegotiationEvaluation.SCAN_RENEGOTIATION_LIMIT,
+    )
     scanner.queue_scans(scans)
     for result in scanner.get_results():
         log.debug(f"sslyze scan for {result.server_location} result: {result.scan_status}")

checks/tasks/tls/tasks_reports.py

@@ -467,10 +467,7 @@ def annotate_and_combine_all(good_items, sufficient_items, bad_items, phaseout_i
             else:
                 category.subtests["renegotiation_secure"].result_bad()
 
-            if dttls.client_reneg:
-                category.subtests["renegotiation_client"].result_bad()
-            else:
-                category.subtests["renegotiation_client"].result_good()
+            category.subtests["renegotiation_client"].save_result(dttls.client_reneg)
 
             if not dttls.cert_chain:
                 category.subtests["cert_trust"].result_could_not_test()
@@ -628,10 +625,7 @@ def annotate_and_combine_all(good_items, sufficient_items, bad_items, phaseout_i
             else:
                 category.subtests["renegotiation_secure"].result_bad()
 
-            if dttls.client_reneg:
-                category.subtests["renegotiation_client"].result_bad()
-            else:
-                category.subtests["renegotiation_client"].result_good()
+            category.subtests["renegotiation_client"].save_result(dttls.client_reneg)
 
             if not dttls.cert_chain:
                 category.subtests["cert_trust"].result_could_not_test()