Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] modified ssl-enum-ciphers to indicate policy compliance

From: David Fifield <david () bamsoftware com>
Date: Wed, 14 Sep 2011 11:10:41 -0700
On Mon, Sep 05, 2011 at 11:22:59AM -0700, David Fifield wrote:

On Wed, May 11, 2011 at 04:45:56PM -0700, Gabriel Lawrence wrote:

David,

Thanks. I decided to join the mail list so I'd see these things from now on.
I finally got a chance to make the changes recommended below. Attached are
the new files. Let me know if you think anything else should be tweaked or
if these are good to go!

PS: I don’t really consider my neckbeard to be awesome enough to make
recommendations for the world on what reasonable ciphers should be on their
default list. I took a wag at it anyway, so some review of that list
wouldn’t be a bad idea. I don’t think I included anything bad, but I may
have omitted something good.


So here's what I want:
1. A new data file nselib/data/ssl-ciphers, the same as your current
   samplegoodciphers, but with another column containing "strong":
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA    strong
TLS_RSA_WITH_3DES_EDE_CBC_SHA         strong
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA      strong
   The idea, of course, is that we can add new lines with "weak", but
   don't do that now. Anything not in the file will be considered
   unknown strength.
2. Make ssl-enum-ciphers.nse use nselib/data/ssl-ciphers by default,
   without requiring a script argument. Naturally, it has to parse the
   "strong" column.
3. Make the output look like this:
|   SSLv3
|     Ciphers (7)
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - unknown strength
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - unknown strength
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - unknown strength
|_  Least strength = unknown strength
   That's from "ncat -l -k --ssl" by the way. Your check for "Compliant = true"
   will become one for "Least strength = strong". The ordering of
   strength levels should be "strong" > "unknown strength" > "weak".


Gabe sent me a new version of the script satisfying these requests and I
committed it.

Now I want to bring the ssl-ciphers list up to date. If you look at the
output example, you'll see some cases where 128-bit cipher is "strong"
while the same cipher in 256 bits is "unknown strength". We should add
those as "strong", and also add the YGN weak ciphers (from the parent
message to this one) as "weak". Can you make a patch for that?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: