Nmap Development mailing list archives
Re: ssl-enum-ciphers not returning all ciphers
From: David Fifield <david () bamsoftware com>
Date: Mon, 10 Feb 2020 02:42:09 -0700
I notice that r37902 nselib/tls.lua CIPHERS is missing
["TLS_AES_128_GCM_SHA256"] = 0x1301,
["TLS_AES_256_GCM_SHA384"] = 0x1302,
["TLS_CHACHA20_POLY1305_SHA256"] = 0x1303,
(Values from https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4.)
But that doesn't explain the absence of
0xC030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
0xC014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
0xC02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
0xC013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
On Sat, Feb 01, 2020 at 07:56:02PM +1000, will wrote:
I found https://seclists.org/nmap-dev/2019/q3/4 which ends with "That said, if you get any other tool (testssl.sh, SSLLabs, openssl s_client, etc.) to show ciphers that Nmap's ssl-enum-ciphers does not show, please let us know so we can investigate." So, here goes: % nmap -script ssl-enum-ciphers.nse -p 6443 localhost Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-01 19:52 AEST Nmap scan report for localhost (127.0.0.1) Host is up (0.00026s latency). Other addresses for localhost (not scanned): ::1 fe80::1 PORT STATE SERVICE 6443/tcp open sun-sr-https | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A | compressors: | NULL | cipher preference: server | warnings: | Forward Secrecy not supported by any cipher |_ least strength: A Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds % testssl.sh localhost:6443 <snip other sections for brevity) Testing 370 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ----------------------------------------------------------------------------------------------------------------------------- x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 xc014 ECDHE-RSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384 x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256 xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 xc013 ECDHE-RSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256 x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA This also concurs with what I get from openssl s_client, where I can connect with e.g. openssl s_client -cipher ECDHE-RSA-WITH-AES-256-GCM-SHA384 -connect localhost:6443 nmap is 7.80 installed using brew on OS X, if that matters.
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- ssl-enum-ciphers not returning all ciphers will (Feb 01)
- Re: ssl-enum-ciphers not returning all ciphers David Fifield (Feb 10)