Nmap Development mailing list archives
Re: TLS cipher strength diffs between nmap and SSL Labs
From: Daniel Miller <bonsaiviking () gmail com>
Date: Thu, 27 Aug 2020 12:13:37 -0500
Jerry, The version of Nmap you are using (6.40) is 7 years old. The version of the script it uses only scores the encryption strength of the ciphersuite itself. The current version also considers the strength of the handshake key (DH parameters or RSA key) and will warn for some specific problems. That is only part of the story, however; even the current version lists all parameters as having an "A" score. Qualys is downgrading some specific things, namely all CBC ciphersuites and all ciphersuites without Forward Secrecy (ECHDE or DHE). Nmap has not gone so far as downgrading these things, though we may do so in a future release. Dan On Mon, Aug 10, 2020 at 7:15 PM Chen, Jerry G <Jerry.Chen () invesco com> wrote:
Hi – I used Qualys SSL Labs to test our company’s website. The results are here at *https://www.ssllabs.com/ssltest/analyze.html?d=www.invesco.com&hideResults=on* <https://www.ssllabs.com/ssltest/analyze.html?d=www.invesco.com&hideResults=on> . It finds 12 ciphers used with only 2 being strong. But when I use nmap to scan the site, all 12 ciphers are listed as strong. Do you know whose resultst are more accurate? Thanks! Jerrynmap -sV --script ssl-enum-ciphers -p 443 www.invesco.comStarting Nmap 6.40 ( http://nmap.org ) at 2020-07-28 12:04 CDT Nmap scan report for www.invesco.com (142.148.253.74) Host is up (0.0012s latency). PORT STATE SERVICE VERSION 443/tcp open ssl/http Apache httpd | ssl-enum-ciphers: | SSLv3: No supported ciphers found | TLSv1.0: No supported ciphers found | TLSv1.1: No supported ciphers found | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA256 - strong | TLS_RSA_WITH_AES_256_GCM_SHA384 - strong | compressors: | NULL |_ least strength: strong Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.25 seconds **************************************************************** Confidentiality Note: The information contained in this message, and any attachments, may contain confidential and/or privileged material. It is intended solely for the person(s) or entity to which it is addressed. Any review, retransmission, dissemination, or taking of any action in reliance upon this information by persons or entities other than the intended recipient(s) is prohibited. If you received this in error, please contact the sender and delete the material from any device. **************************************************************** _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- TLS cipher strength diffs between nmap and SSL Labs Chen, Jerry G (Aug 10)
- Re: TLS cipher strength diffs between nmap and SSL Labs Christoph Gruber (Aug 11)
- Re: TLS cipher strength diffs between nmap and SSL Labs Matthew.Snyder (Aug 11)
- Re: TLS cipher strength diffs between nmap and SSL Labs Daniel Miller (Aug 27)
- Re: TLS cipher strength diffs between nmap and SSL Labs Christoph Gruber (Aug 11)