Remove sufficient_above_good cipher order

mxsasha · mxsasha · commit 9350c26380c4 · 2026-03-10T17:06:13.000+01:00
We decided not to test this scenario after
considering the suites at each level.
Only bad&gt;(sufficient+good) is considered.
diff --git a/checks/categories.py b/checks/categories.py
@@ -1098,11 +1098,6 @@ def result_na(self):
         self.verdict = "detail web tls cipher-order verdict na"
         self.tech_data = ""
 
-    def result_sufficient_above_good(self):
-        self._status(STATUS_INFO)
-        self.verdict = "detail web tls cipher-order verdict sufficient-above-good"
-        self.tech_data = ""
-
 
 class WebTlsVersion(Subtest):
     def __init__(self):
@@ -1751,11 +1746,6 @@ def result_na(self):
         self.verdict = "detail mail tls cipher-order verdict na"
         self.tech_data = ""
 
-    def result_sufficient_above_good(self):
-        self._status(STATUS_INFO)
-        self.verdict = "detail web tls cipher-order verdict sufficient-above-good"
-        self.tech_data = ""
-
 
 class MailTlsVersion(Subtest):
     def __init__(self):
diff --git a/checks/models.py b/checks/models.py
@@ -114,7 +114,6 @@ class CipherOrderStatus(Enum):
     not_prescribed = 2
     not_seclevel = 3
     na = 4  # Don't care about order; only GOOD ciphers.
-    sufficient_above_good = 5
 
 
 class TLSExtendedMasterSecretStatus(Enum):
diff --git a/checks/tasks/tls/scans.py b/checks/tasks/tls/scans.py
@@ -999,19 +999,11 @@ def test_cipher_order(
 
     order_tuples = [
         (
-            CipherOrderStatus.sufficient_above_good,
-            cipher_evaluation.ciphers_bad + cipher_evaluation.ciphers_phase_out + cipher_evaluation.ciphers_sufficient,
-            # Make sure we do not mix in TLS 1.3 ciphers, all TLS 1.3 ciphers are good.
-            cipher_evaluation.ciphers_good_no_tls13,
+            cipher_evaluation.ciphers_phase_out,
+            cipher_evaluation.ciphers_sufficient + cipher_evaluation.ciphers_good_no_tls13,
         ),
-        (
-            CipherOrderStatus.bad,
-            cipher_evaluation.ciphers_bad + cipher_evaluation.ciphers_phase_out,
-            cipher_evaluation.ciphers_sufficient,
-        ),
-        (CipherOrderStatus.bad, cipher_evaluation.ciphers_bad, cipher_evaluation.ciphers_phase_out),
     ]
-    for fail_status, expected_less_preferred, expected_more_preferred_list in order_tuples:
+    for expected_less_preferred, expected_more_preferred_list in order_tuples:
         if cipher_order_violation:
             break
         # Sort CHACHA as later in the list, in case SSL_OP_PRIORITIZE_CHACHA is enabled #461
@@ -1035,10 +1027,10 @@ def test_cipher_order(
                 )
             if preferred_suite != expected_more_preferred:
                 cipher_order_violation = [preferred_suite.name, expected_more_preferred.name]
-                status = fail_status
+                status = CipherOrderStatus.bad
                 log.info(
                     f"found cipher order violation for {server_connectivity_info.server_location.hostname}:"
-                    f" preferred {preferred_suite.name} instead of {expected_more_preferred.name}, status {fail_status}"
+                    f" preferred {preferred_suite.name} instead of {expected_more_preferred.name}, status {status}"
                 )
                 break
 
diff --git a/checks/tasks/tls/tasks_reports.py b/checks/tasks/tls/tasks_reports.py
@@ -451,8 +451,6 @@ def annotate_and_combine_all(good_items, sufficient_items, bad_items, phaseout_i
                 category.subtests["tls_cipher_order"].result_bad(dttls.cipher_order_violation)
             elif dttls.cipher_order == CipherOrderStatus.na:
                 category.subtests["tls_cipher_order"].result_na()
-            elif dttls.cipher_order == CipherOrderStatus.sufficient_above_good:
-                category.subtests["tls_cipher_order"].result_sufficient_above_good()
             else:
                 category.subtests["tls_cipher_order"].result_good()
 
@@ -614,8 +612,6 @@ def annotate_and_combine_all(good_items, sufficient_items, bad_items, phaseout_i
                 category.subtests["tls_cipher_order"].result_bad(dttls.cipher_order_violation)
             elif dttls.cipher_order == CipherOrderStatus.na:
                 category.subtests["tls_cipher_order"].result_na()
-            elif dttls.cipher_order == CipherOrderStatus.sufficient_above_good:
-                category.subtests["tls_cipher_order"].result_sufficient_above_good()
             else:
                 category.subtests["tls_cipher_order"].result_good()
 
diff --git a/interface/batch/openapi.yaml b/interface/batch/openapi.yaml
@@ -636,7 +636,6 @@ components:
               the configured order is not based on security level (deprecated).
             * `na` - The server only supports GOOD ciphers; cipher order is
               not relevant.
-            * `sufficient_above_good` - the server prefers sufficient ciphers over good.
         cipher_order_violation:
           type: array
           description: |
