Re: [NSE] ssl-enum-ciphers hosed?

[Mak Kolybabi <mak () kolybabi com>]

On 2010-03-15 10:13, David Fifield wrote:
> If there's some fundamental limitation that means the faster method can't ever
> be completely reliable, then switch back to the slower method.

In looking at some other tools that enumerate ciphers, I've found that they all
use the slow method. Sadly, I couldn't make the fast method work reliably across
all SSL implementations.

The new script (see attached) makes the following changes:
- Offers the slow-and-reliable algorithm, only.
- Fixes the "malformed packet" bug.
- Treats RSTs as rejections, not fatal errors.
- Adds some obsolete ciphers that were requested.
  - SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
  - SSL_RSA_FIPS_WITH_DES_CBC_SHA
- Adds some other cipher definitions that I came across.
  - TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
  - TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA
  - TLS_DHE_DSS_WITH_RC4_128_SHA
  - TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
  - TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
  - TLS_RSA_EXPORT1024_WITH_RC4_56_MD5
  - TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

Please let me know if there are any problems with the new version.

--
Matthew Anthony Kolybabi (Mak)
<mak () kolybabi com>

() ASCII Ribbon Campaign | Against HTML e-mail
/\  www.asciiribbon.org  | Against proprietary extensions

Attachment: ssl-enum-ciphers.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/