From 9a21104bd6e232e373cbe93119004983e2388832 Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Wed, 24 Aug 2016 16:07:58 +0000
Subject: [PATCH] Clarify kex weakness warning with actual kex info

---
 scripts/ssl-enum-ciphers.nse | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/scripts/ssl-enum-ciphers.nse b/scripts/ssl-enum-ciphers.nse
index 598291be1..99718a678 100644
--- a/scripts/ssl-enum-ciphers.nse
+++ b/scripts/ssl-enum-ciphers.nse
@@ -722,9 +722,10 @@ local function find_ciphers_group(host, port, protocol, group, scores)
                 local kex_info = kex.server_key_exchange(ske.data)
                 if kex_info.strength then
                   local rsa_bits = tls.rsa_equiv(kex.type, kex_info.strength)
+                  local low_strength_warning = false
                   if kex_strength and kex_strength > rsa_bits then
                     kex_strength = rsa_bits
-                    scores.warnings["Key exchange parameters of lower strength than certificate key"] = true
+                    low_strength_warning = true
                   end
                   kex_strength = kex_strength or rsa_bits
                   if kex_info.ecdhparams then
@@ -736,6 +737,11 @@ local function find_ciphers_group(host, port, protocol, group, scores)
                   else
                     extra = string.format("%s %d", kex.type, kex_info.strength)
                   end
+                  if low_strength_warning then
+                    scores.warnings[(
+                        "Key exchange (%s) of lower strength than certificate key"
+                      ):format(extra)] = true
+                  end
                 end
                 if kex_info.rsa and kex_info.rsa.exponent == 1 then
                   kex_strength = 0