Re: [NSE] HUGE ssl-enum-ciphers speed improvement

[Daniel Miller <bonsaiviking () gmail com>]

On 07/12/2012 05:09 PM, Matt Selsky wrote:
> On Thu, Jul 12, 2012 at 5:37 PM, Daniel Miller <bonsaiviking () gmail com> wrote:
>
> > I've found a way to vastly improve the speed and efficiency of the
> > ssl-enum-ciphers by letting the server choose ciphers instead of trying
> > every single one. First, the numbers, based on a scan of nmap.org, port 443.
> > Before: 858 Client Hello messages, 9.56s NSE time. After: 24 Client Hello
> > messages, 3.07s NSE time.
> I get the similar times with and without the patch.  Though with the
> patch, the script now detects that the server supports compression.
>
> Unpatched: Completed NSE at 18:07, 1.81s elapsed
> Patched: Completed NSE at 18:07, 1.77s elapsed
>
> Cheers,
> Matt
Matt,

I'm surprised at this. Can you tell me anything else about your 
environment or the server (how many ciphers supported, for instance) 
that might explain it? Unlike the original version, mine slows in 
proportion to the number of ciphers supported. Here's some example runs 
against a set of Internet hosts (gmail.com facebook.com nmap.org 
github.com firstnational.com en.wikipedia.org):

Unpatched: 6 IP addresses (6 hosts up) scanned in 93.40 seconds
Patched: 6 IP addresses (6 hosts up) scanned in 18.47 seconds

Dan

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/