Skip to content

WeakCipher Validator

certmonitor.validators.weak_cipher.WeakCipherValidator

Bases: BaseCipherValidator

Validates that the negotiated cipher suite is in the allowed list.

name class-attribute instance-attribute 

name: str = 'weak_cipher'

validate 

validate(cipher_info: Dict[str, Any], host: str, port: int) -> Dict[str, Any]

Validates that the negotiated cipher suite is in the allowed list.

Parameters:

Name Type Description Default
cipher_info dict

The cipher information.

 required
host str

The hostname.

 required
port int

The port number.

 required

Returns:

Name Type Description
dict Dict[str, Any]

A dictionary containing the validation results, including whether the cipher suite is allowed.

Examples:

Example output (success): This example shows a connection using a strong cipher suite, so validation passes.

```json
{
    "is_valid": true,
    "cipher_suite": "ECDHE-RSA-AES128-GCM-SHA256"
}
```

Example output (failure): This example shows a connection using a weak cipher suite, so validation fails.

```json
{
    "is_valid": false,
    "cipher_suite": "TLS_RSA_WITH_RC4_128_MD5",
    "reason": "Cipher suite TLS_RSA_WITH_RC4_128_MD5 is not allowed. Please update your allowed cipher suites or negotiate a supported cipher."
}
```
Source code in certmonitor/validators/weak_cipher.py 
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
def validate(
    self, cipher_info: Dict[str, Any], host: str, port: int
) -> Dict[str, Any]:
    """
    Validates that the negotiated cipher suite is in the allowed list.

    Args:
        cipher_info (dict): The cipher information.
        host (str): The hostname.
        port (int): The port number.

    Returns:
        dict: A dictionary containing the validation results, including whether the cipher suite is allowed.

    Examples:
        Example output (success):
            This example shows a connection using a strong cipher suite, so validation passes.

            ```json
            {
                "is_valid": true,
                "cipher_suite": "ECDHE-RSA-AES128-GCM-SHA256"
            }
            ```

        Example output (failure):
            This example shows a connection using a weak cipher suite, so validation fails.

            ```json
            {
                "is_valid": false,
                "cipher_suite": "TLS_RSA_WITH_RC4_128_MD5",
                "reason": "Cipher suite TLS_RSA_WITH_RC4_128_MD5 is not allowed. Please update your allowed cipher suites or negotiate a supported cipher."
            }
            ```
    """
    cipher_suite = cipher_info.get("cipher_suite", {})
    cipher_name = cipher_suite.get("name")

    result = {
        "is_valid": True,
        "cipher_suite": cipher_name,
    }

    if cipher_name not in ALLOWED_CIPHER_SUITES:
        result["is_valid"] = False
        result["reason"] = (
            f"Cipher suite {cipher_name} is not allowed. "
            "Please update your allowed cipher suites or negotiate a supported cipher."
        )

    return result