Re: [NSE][RFC] New cipher strength ratings for ssl-enum-ciphers

[David Fifield <david () bamsoftware com>]

On Tue, Jul 17, 2012 at 11:25:37AM -0500, Daniel Miller wrote:
> On 07/16/2012 02:30 PM, Patrik Karlsson wrote:
> > Have you looked at SSL Labs SSL Server Rating Guide?
> > https://www.ssllabs.com/downloads/SSL_Server_Rating_Guide_2009.pdf
> >
> > //Patrik
> > -- 
> > Patrik Karlsson
> > http://www.cqure.net
> > http://twitter.com/nevdull77
>
> I looked at this guide; it's a great source of information. It made
> me realize that a lot more goes into TLS security than just the
> cipher suite choice: Server certificate key length, DH prime
> choices, and protocol (SSLv3, TLSv1.0, etc) are all inputs that
> Qualys uses that we don't. Fortunately, there was enough information
> there to make a fairly accurate approximation of the A through F
> score. To do this, I wrote a simple Perl script
> (https://gist.github.com/3130353) and did a quick sanity check on
> the results. New patch (not reversed this time!) is attached.
>
> Also in this patch I added caching of the ssl-ciphers rankings, so
> now the file will only need to be read once per scan, instead of
> every time the script runs.

This looks fine to me, except for the change from weak/strong to A–F. If
we're going to do that, let's discuss it and do ti as a separate patch.
It needs new @output too.

Please regenerate it with your Perl script; assign anything "A" to
"strong" and everything else "weak". I'm curious to know if anything we
had previously classified as "strong" is weak according to the SSL
ratings.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/