Nmap Development mailing list archives
Re: [NSE] modified ssl-enum-ciphers to indicate policy compliance
From: David Fifield <david () bamsoftware com>
Date: Wed, 14 Sep 2011 11:10:41 -0700
On Mon, Sep 05, 2011 at 11:22:59AM -0700, David Fifield wrote:
On Wed, May 11, 2011 at 04:45:56PM -0700, Gabriel Lawrence wrote:David, Thanks. I decided to join the mail list so I'd see these things from now on. I finally got a chance to make the changes recommended below. Attached are the new files. Let me know if you think anything else should be tweaked or if these are good to go! PS: I don’t really consider my neckbeard to be awesome enough to make recommendations for the world on what reasonable ciphers should be on their default list. I took a wag at it anyway, so some review of that list wouldn’t be a bad idea. I don’t think I included anything bad, but I may have omitted something good.So here's what I want: 1. A new data file nselib/data/ssl-ciphers, the same as your current samplegoodciphers, but with another column containing "strong": SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA strong TLS_RSA_WITH_3DES_EDE_CBC_SHA strong TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA strong The idea, of course, is that we can add new lines with "weak", but don't do that now. Anything not in the file will be considered unknown strength. 2. Make ssl-enum-ciphers.nse use nselib/data/ssl-ciphers by default, without requiring a script argument. Naturally, it has to parse the "strong" column. 3. Make the output look like this: | SSLv3 | Ciphers (7) | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - unknown strength | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - unknown strength | TLS_RSA_WITH_RC4_128_SHA - strong | TLS_RSA_WITH_SEED_CBC_SHA - unknown strength |_ Least strength = unknown strength That's from "ncat -l -k --ssl" by the way. Your check for "Compliant = true" will become one for "Least strength = strong". The ordering of strength levels should be "strong" > "unknown strength" > "weak".
Gabe sent me a new version of the script satisfying these requests and I committed it. Now I want to bring the ssl-ciphers list up to date. If you look at the output example, you'll see some cases where 128-bit cipher is "strong" while the same cipher in 256 bits is "unknown strength". We should add those as "strong", and also add the YGN weak ciphers (from the parent message to this one) as "weak". Can you make a patch for that? David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] modified ssl-enum-ciphers to indicate policy compliance David Fifield (Sep 05)
- Re: [NSE] modified ssl-enum-ciphers to indicate policy compliance David Fifield (Sep 14)