<div dir="ltr"><div class="gmail_quote"><div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, 29 Oct 2014, John Denker wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
Nmap seems to have an overoptimistic notion of "strong":<br>
<br>
nmap --script ssl-enum-ciphers -p 443 <a href="http://flightplanning.navcanada.ca" target="_blank">flightplanning.navcanada.ca</a><br>
<br>
> Starting Nmap 6.40 ( <a href="http://nmap.org" target="_blank">http://nmap.org</a> ) at 2014-10-29 12:07 MST<br>
> Nmap scan report for <a href="http://flightplanning.navcanada.ca" target="_blank">flightplanning.navcanada.ca</a> (207.236.24.143)<br>
> Host is up (0.076s latency).<br>
> rDNS record for <a href="http://207.236.24.143" target="_blank">207.236.24.143</a>: <a href="http://www.metcambeta.navcanada.ca" target="_blank">www.metcambeta.navcanada.ca</a><br>
> PORT STATE SERVICE<br>
> 443/tcp open https<br>
> | ssl-enum-ciphers:<br>
> | SSLv3:<br>
> | ciphers:<br>
> | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong<br>
> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong<br>
> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong<br>
> | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong<br>
> | TLS_RSA_WITH_AES_128_CBC_SHA - strong<br>
> | TLS_RSA_WITH_AES_256_CBC_SHA - strong<br>
> | compressors:<br>
> | NULL<br>
> |_ least strength: strong<br></blockquote><div><br></div><div>Hi John, and thanks for the feedback. We just finished some major improvements to that script, including better grading of the cipher strengths and a warning section for potential security risks. Documentation has been improved too (<a href="http://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html" target="_blank">http://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html</a>). Here is how it looks using the current SVN version of Nmap against that server:</div><div><br></div><div><div>nmap --script ssl-enum-ciphers -p 443 <a href="http://flightplanning.navcanada.ca" target="_blank">flightplanning.navcanada.ca</a></div><div><br></div><div>Starting Nmap 6.47SVN ( <a href="http://nmap.org" target="_blank">http://nmap.org</a> ) at 2014-11-11 14:07 PST</div><div>Nmap scan report for <a href="http://flightplanning.navcanada.ca" target="_blank">flightplanning.navcanada.ca</a> (207.236.24.143)</div><div>Host is up (0.089s latency).</div><div>rDNS record for <a href="http://207.236.24.143" target="_blank">207.236.24.143</a>: <a href="http://www.metcambeta.navcanada.ca" target="_blank">www.metcambeta.navcanada.ca</a></div><div>PORT STATE SERVICE</div><div>443/tcp open https</div><div>| ssl-enum-ciphers: </div><div>| SSLv3: </div><div>| ciphers: </div><div>| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128) - B</div><div>| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A</div><div>| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128) - C</div><div>| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A</div><div>| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 128) - E</div><div>| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C</div><div>| compressors: </div><div>| NULL</div><div>| cipher preference: server</div><div>| warnings: </div><div>| CBC-mode cipher in SSLv3 (CVE-2014-3566)</div><div>| Key exchange parameters of lower strength than certificate key</div><div>| Weak certificate signature: SHA1</div><div>|_ least strength: E</div><div><br></div><div>Nmap done: 1 IP address (1 host up) scanned in 5.91 seconds</div></div><div><br></div><div>If anyone has further feedback on this script, you're also encouraged to send it to our dev list for discussion (<a href="mailto:dev@nmap.org" target="_blank">dev@nmap.org</a>).</div><div><br></div><div>Cheers,</div><div>Fyodor</div></div></div></div>
</div><br></div>