Add CAMELLIA as sufficient

checks/tasks/tls/evaluation.py

@@ -172,7 +172,6 @@ def from_ciphers_accepted(cls, ciphers_accepted: List[CipherSuiteAcceptedByServe
 
     @staticmethod
     def _format_str(suites: List[CipherSuite]) -> List[str]:
-        # TODO: remove IANA name, just here for debugging now
         return [f"{suite.openssl_name} ({suite.name})" for suite in suites]
 
     @property

checks/tasks/tls/scans.py

@@ -546,7 +546,6 @@ def check_mail_tls(server, dane_cb_data, task):
             if result.scan_result.tls_1_3_early_data.result.supports_early_data
             else scoring.WEB_TLS_ZERO_RTT_GOOD
         ),
-        # TODO appears to be currently unsupported
         kex_hash_func=KexHashFuncStatus.good,
         kex_hash_func_score=scoring.WEB_TLS_KEX_HASH_FUNC_OK,
     )
@@ -763,11 +762,11 @@ def test_cipher_order(
         (cipher_evaluation.ciphers_bad, cipher_evaluation.ciphers_phase_out),
     ]
     for expected_less_preferred, expected_more_preferred_list in order_tuples:
-        # Sort CHACHA as later in the list, in case SSL_OP_PRIORITIZE_CHACHA is enabled #461
-        expected_less_preferred.sort(key=lambda c: "CHACHA" in c.name)
         if cipher_order_violation:
-            print("break out, got bad")
             break
+        # Sort CHACHA as later in the list, in case SSL_OP_PRIORITIZE_CHACHA is enabled #461
+        expected_less_preferred.sort(key=lambda c: "CHACHA" in c.name)
+        print(f"checking server pref against: {[s.name for s in expected_more_preferred_list]}")
         for expected_more_preferred in expected_more_preferred_list:
             print(
                 f"evaluating less {[s.name for s in expected_less_preferred]} vs "
@@ -780,7 +779,7 @@ def test_cipher_order(
             )
             if preferred_suite != expected_more_preferred:
                 cipher_order_violation = [preferred_suite.name, expected_more_preferred.name]
-                print(f"break out, got bad inner: {cipher_order_violation}")
+                print(f"break out, got bad order: {cipher_order_violation}")
                 break
 
     return TLSCipherOrderEvaluation(
@@ -807,6 +806,7 @@ def find_most_preferred_cipher_suite(
     ssl_connection = server_connectivity_info.get_preconfigured_tls_connection(
         override_tls_version=tls_version, should_use_legacy_openssl=requires_legacy_openssl
     )
+    print(f"{suite_names=}")
     _set_cipher_suite_string(tls_version, ":".join(suite_names), ssl_connection.ssl_client)
 
     try:
@@ -823,5 +823,5 @@ def find_most_preferred_cipher_suite(
     selected_cipher = CipherSuitesRepository.get_cipher_suite_with_openssl_name(
         tls_version, ssl_connection.ssl_client.get_current_cipher_name()
     )
-    print(f"from CS {suite_names} selected {selected_cipher}")
+    print(f"from CS {[s.name for s in cipher_suites]} selected {selected_cipher}")
     return selected_cipher

checks/tasks/tls/tls_constants.py

@@ -38,6 +38,7 @@
     OpenSslEcNidEnum.SECP224R1,
 ]
 
+
 # NCSC appendix C, derived from table 2, 6 and 7
 CIPHERS_GOOD = [
     "TLS_AES_256_GCM_SHA384",
@@ -69,6 +70,19 @@
     "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
     "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
     "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
+    # CAMELLIA is not in appendix C but is sufficient (footnote 31)
+    "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
+    "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+    "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
+    "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+    "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
+    "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+    "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
+    "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+    "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256",
+    "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",
+    "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+    "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384",
 ]
 CIPHERS_PHASE_OUT = [
     "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",