Add sufficient>good separate status for cipher order

Author: mxsasha

checks/categories.py

@@ -1096,6 +1096,11 @@ def result_na(self):
         self.verdict = "detail web tls cipher-order verdict na"
         self.tech_data = ""
 
+    def result_sufficient_above_good(self):
+        self._status(STATUS_INFO)
+        self.verdict = "detail web tls cipher-order verdict sufficient-above-good"
+        self.tech_data = ""
+
 
 class WebTlsVersion(Subtest):
     def __init__(self):
@@ -1695,6 +1700,11 @@ def result_na(self):
         self.verdict = "detail mail tls cipher-order verdict na"
         self.tech_data = ""
 
+    def result_sufficient_above_good(self):
+        self._status(STATUS_INFO)
+        self.verdict = "detail web tls cipher-order verdict sufficient-above-good"
+        self.tech_data = ""
+
 
 class MailTlsVersion(Subtest):
     def __init__(self):

checks/models.py

@@ -120,6 +120,7 @@ class CipherOrderStatus(Enum):
     not_prescribed = 2
     not_seclevel = 3
     na = 4  # Don't care about order; only GOOD ciphers.
+    sufficient_above_good = 5
 
 
 class TLSExtendedMasterSecretStatus(Enum):

checks/tasks/tls/scans.py

@@ -974,6 +974,7 @@ def test_cipher_order(
     This is tested at all levels that the server supported.
     """
     cipher_order_violation = []
+    status = CipherOrderStatus.good
     if (
         not cipher_evaluation.ciphers_bad
         and not cipher_evaluation.ciphers_phase_out
@@ -989,14 +990,19 @@ def test_cipher_order(
 
     order_tuples = [
         (
+            CipherOrderStatus.sufficient_above_good,
             cipher_evaluation.ciphers_bad + cipher_evaluation.ciphers_phase_out + cipher_evaluation.ciphers_sufficient,
             # Make sure we do not mix in TLS 1.3 ciphers, all TLS 1.3 ciphers are good.
             cipher_evaluation.ciphers_good_no_tls13,
         ),
-        (cipher_evaluation.ciphers_bad + cipher_evaluation.ciphers_phase_out, cipher_evaluation.ciphers_sufficient),
-        (cipher_evaluation.ciphers_bad, cipher_evaluation.ciphers_phase_out),
+        (
+            CipherOrderStatus.bad,
+            cipher_evaluation.ciphers_bad + cipher_evaluation.ciphers_phase_out,
+            cipher_evaluation.ciphers_sufficient,
+        ),
+        (CipherOrderStatus.bad, cipher_evaluation.ciphers_bad, cipher_evaluation.ciphers_phase_out),
     ]
-    for expected_less_preferred, expected_more_preferred_list in order_tuples:
+    for fail_status, expected_less_preferred, expected_more_preferred_list in order_tuples:
         if cipher_order_violation:
             break
         # Sort CHACHA as later in the list, in case SSL_OP_PRIORITIZE_CHACHA is enabled #461
@@ -1009,16 +1015,17 @@ def test_cipher_order(
             )
             if preferred_suite != expected_more_preferred:
                 cipher_order_violation = [preferred_suite.name, expected_more_preferred.name]
+                status = fail_status
                 log.info(
                     f"found cipher order violation for {server_connectivity_info.server_location.hostname}:"
-                    f" preferred {preferred_suite.name} instead of {expected_more_preferred.name}"
+                    f" preferred {preferred_suite.name} instead of {expected_more_preferred.name}, status {fail_status}"
                 )
                 break
 
     return TLSCipherOrderEvaluation(
         violation=cipher_order_violation,
-        status=CipherOrderStatus.bad if cipher_order_violation else CipherOrderStatus.good,
-        score=scoring.WEB_TLS_CIPHER_ORDER_BAD if cipher_order_violation else scoring.WEB_TLS_CIPHER_ORDER_GOOD,
+        status=status,
+        score=scoring.WEB_TLS_CIPHER_ORDER_BAD if status == CipherOrderStatus.bad else scoring.WEB_TLS_CIPHER_ORDER_GOOD
     )
 
 

checks/tasks/tls/tasks_reports.py

@@ -444,6 +444,8 @@ def annotate_and_combine_all(good_items, sufficient_items, bad_items, phaseout_i
                 category.subtests["tls_cipher_order"].result_bad(dttls.cipher_order_violation)
             elif dttls.cipher_order == CipherOrderStatus.na:
                 category.subtests["tls_cipher_order"].result_na()
+            elif dttls.cipher_order == CipherOrderStatus.sufficient_above_good:
+                category.subtests["tls_cipher_order"].result_sufficient_above_good()
             else:
                 category.subtests["tls_cipher_order"].result_good()
 
@@ -602,6 +604,8 @@ def annotate_and_combine_all(good_items, sufficient_items, bad_items, phaseout_i
                 category.subtests["tls_cipher_order"].result_bad(dttls.cipher_order_violation)
             elif dttls.cipher_order == CipherOrderStatus.na:
                 category.subtests["tls_cipher_order"].result_na()
+            elif dttls.cipher_order == CipherOrderStatus.sufficient_above_good:
+                category.subtests["tls_cipher_order"].result_sufficient_above_good()
             else:
                 category.subtests["tls_cipher_order"].result_good()
 

interface/batch/openapi.yaml

@@ -628,14 +628,15 @@ components:
           enumClass: CipherOrderStatus
           description: |
             Cipher order preference of the server:
-            * `bad` - The server does not enforce his own preference.
-            * `good` - The server enforces his own preference.
+            * `bad` - The server does not enforce good and sufficient over weaker ciphers.
+            * `good` - The server enforces his own preference in a correct order.
             * `not_prescribed` - The server enforces his own preference but
               the cipher order is not based on prescribed ordering.
             * `not_seclevel` - The server enforces his own preference but
               the configured order is not based on security level.
             * `na` - The server only supports GOOD ciphers; cipher order is
               not relevant.
+            * `sufficient_above_good` - the server prefers sufficient ciphers over good.
         cipher_order_violation:
           type: array
           description: |