[Cryptography] SSLv3 in the wild

Fyodor fyodor at nmap.org
Tue Nov 11 17:50:34 EST 2014 

On Wed, 29 Oct 2014, John Denker wrote:

>
> Nmap seems to have an overoptimistic notion of "strong":
>
> nmap --script ssl-enum-ciphers -p 443 flightplanning.navcanada.ca
>
> > Starting Nmap 6.40 ( http://nmap.org ) at 2014-10-29 12:07 MST
> > Nmap scan report for flightplanning.navcanada.ca (207.236.24.143)
> > Host is up (0.076s latency).
> > rDNS record for 207.236.24.143: www.metcambeta.navcanada.ca
> > PORT    STATE SERVICE
> > 443/tcp open  https
> > | ssl-enum-ciphers:
> > |   SSLv3:
> > |     ciphers:
> > |       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
> > |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
> > |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
> > |       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
> > |       TLS_RSA_WITH_AES_128_CBC_SHA - strong
> > |       TLS_RSA_WITH_AES_256_CBC_SHA - strong
> > |     compressors:
> > |       NULL
> > |_  least strength: strong
>

Hi John, and thanks for the feedback.  We just finished some major
improvements to that script, including better grading of the cipher
strengths and a warning section for potential security risks.
Documentation has been improved too (
http://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html). Here is how it looks
using the current SVN version of Nmap against that server:

nmap --script ssl-enum-ciphers -p 443 flightplanning.navcanada.ca

Starting Nmap 6.47SVN ( http://nmap.org ) at 2014-11-11 14:07 PST
Nmap scan report for flightplanning.navcanada.ca (207.236.24.143)
Host is up (0.089s latency).
rDNS record for 207.236.24.143: www.metcambeta.navcanada.ca
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   SSLv3:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128) - B
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 128) - E
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       CBC-mode cipher in SSLv3 (CVE-2014-3566)
|       Key exchange parameters of lower strength than certificate key
|       Weak certificate signature: SHA1
|_  least strength: E

Nmap done: 1 IP address (1 host up) scanned in 5.91 seconds

If anyone has further feedback on this script, you're also encouraged to
send it to our dev list for discussion (dev at nmap.org).

Cheers,
Fyodor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141111/627a3d37/attachment.html>

More information about the cryptography mailing list