Added DH/ECDH info to output

sslyze/cli/json_output.py

@@ -15,6 +15,7 @@
 from sslyze.plugins.utils.certificate_utils import CertificateUtils
 from sslyze.server_connectivity_info import ServerConnectivityInfo
 from sslyze.server_connectivity_tester import ServerConnectivityError
+from nassl.temp_key_info import TempKeyInfo
 
 
 class JsonOutputGenerator(OutputGenerator):
@@ -112,6 +113,9 @@ def default(self, obj: Any) -> Union[bool, int, float, str, Dict[str, Any]]:
         elif isinstance(obj, Path):
             result = str(obj)
 
+        elif isinstance(obj, TempKeyInfo):
+            return obj.as_dict()
+
         elif isinstance(obj, object):
             # Some objects (like str) don't have a __dict__
             if hasattr(obj, "__dict__"):

sslyze/plugins/openssl_cipher_suites_plugin.py

@@ -4,6 +4,7 @@
 from xml.etree.ElementTree import Element
 
 from nassl.ssl_client import OpenSslVersionEnum, ClientCertificateRequested
+from nassl.temp_key_info import TempKeyInfo, OpenSslEvpPkeyEnum
 from nassl._nassl import OpenSSLError
 from sslyze.plugins.plugin_base import Plugin, PluginScanCommand
 from sslyze.plugins.plugin_base import PluginScanResult
@@ -470,10 +471,12 @@ def __init__(
         ssl_version: OpenSslVersionEnum,
         key_size: Optional[int],  # TODO(AD): Make it non-optional again by fixing client certificate handling
         post_handshake_response: Optional[str] = None,
+        dh_info: Optional[TempKeyInfo] = None,
     ) -> None:
         super().__init__(openssl_name, ssl_version)
         self.key_size = key_size
         self.post_handshake_response = post_handshake_response
+        self.dh_info = dh_info
 
     @classmethod
     def from_ongoing_ssl_connection(
@@ -482,7 +485,8 @@ def from_ongoing_ssl_connection(
         keysize = ssl_connection.ssl_client.get_current_cipher_bits()
         picked_cipher_name = ssl_connection.ssl_client.get_current_cipher_name()
         status_msg = ssl_connection.post_handshake_check()
-        return AcceptedCipherSuite(picked_cipher_name, ssl_version, keysize, status_msg)
+        dh_info = ssl_connection.ssl_client.get_dh_info()
+        return AcceptedCipherSuite(picked_cipher_name, ssl_version, keysize, status_msg, dh_info)
 
 
 class RejectedCipherSuite(CipherSuite):
@@ -626,6 +630,11 @@ def _format_accepted_cipher_xml(cipher: AcceptedCipherSuite) -> Element:
             cipher_attributes["connectionStatus"] = cipher.post_handshake_response
 
         cipher_xml = Element("cipherSuite", attrib=cipher_attributes)
+
+        if cipher.dh_info is not None:
+            key_exchange_xml = Element("keyExchange", attrib=cipher.dh_info.as_dict())
+            cipher_xml.append(key_exchange_xml)
+
         return cipher_xml
 
     ACCEPTED_CIPHER_LINE_FORMAT = "        {cipher_name:<50}{dh_size:<15}{key_size:<10}    {status:<60}"
@@ -711,9 +720,16 @@ def _format_accepted_cipher_txt(self, cipher: AcceptedCipherSuite) -> str:
             # Always display ANON as the key size for anonymous ciphers to make it visible
             keysize_str = "ANONYMOUS"
 
+        dh_size = ""
+        if cipher.dh_info is not None:
+            if cipher.dh_info.key_type == OpenSslEvpPkeyEnum.DH:
+                dh_size = "DH-{} bits".format(cipher.dh_info.key_size)
+            else:
+                dh_size = "ECDH-{} bits".format(cipher.dh_info.key_size)
+
         cipher_line_txt = self.ACCEPTED_CIPHER_LINE_FORMAT.format(
             cipher_name=cipher.name,
-            dh_size="",
+            dh_size=dh_size,
             key_size=keysize_str,
             status=cipher.post_handshake_response if cipher.post_handshake_response is not None else "",
         )