Nmap Development mailing list archives
Re: [NSE][RFC] New cipher strength ratings for ssl-enum-ciphers
From: David Fifield <david () bamsoftware com>
Date: Tue, 17 Jul 2012 09:39:44 -0700
On Tue, Jul 17, 2012 at 11:25:37AM -0500, Daniel Miller wrote:
On 07/16/2012 02:30 PM, Patrik Karlsson wrote:Have you looked at SSL Labs SSL Server Rating Guide? https://www.ssllabs.com/downloads/SSL_Server_Rating_Guide_2009.pdf //Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77I looked at this guide; it's a great source of information. It made me realize that a lot more goes into TLS security than just the cipher suite choice: Server certificate key length, DH prime choices, and protocol (SSLv3, TLSv1.0, etc) are all inputs that Qualys uses that we don't. Fortunately, there was enough information there to make a fairly accurate approximation of the A through F score. To do this, I wrote a simple Perl script (https://gist.github.com/3130353) and did a quick sanity check on the results. New patch (not reversed this time!) is attached. Also in this patch I added caching of the ssl-ciphers rankings, so now the file will only need to be read once per scan, instead of every time the script runs.
This looks fine to me, except for the change from weak/strong to A–F. If we're going to do that, let's discuss it and do ti as a separate patch. It needs new @output too. Please regenerate it with your Perl script; assign anything "A" to "strong" and everything else "weak". I'm curious to know if anything we had previously classified as "strong" is weak according to the SSL ratings. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE][RFC] New cipher strength ratings for ssl-enum-ciphers Daniel Miller (Jul 16)
- Re: [NSE][RFC] New cipher strength ratings for ssl-enum-ciphers Patrik Karlsson (Jul 16)
- Re: [NSE][RFC] New cipher strength ratings for ssl-enum-ciphers Daniel Miller (Jul 17)
- Re: [NSE][RFC] New cipher strength ratings for ssl-enum-ciphers David Fifield (Jul 17)
- Re: [NSE][RFC] New cipher strength ratings for ssl-enum-ciphers Daniel Miller (Jul 17)
- Re: [NSE][RFC] New cipher strength ratings for ssl-enum-ciphers David Fifield (Jul 17)
- Re: [NSE][RFC] New cipher strength ratings for ssl-enum-ciphers Daniel Miller (Jul 18)
- Re: [NSE][RFC] New cipher strength ratings for ssl-enum-ciphers Daniel Miller (Jul 17)
- Re: [NSE][RFC] New cipher strength ratings for ssl-enum-ciphers Patrik Karlsson (Jul 16)