Nmap Development mailing list archives
Re: [NSE] More cipher suites needed in ssl-date
From: Daniel Miller <bonsaiviking () gmail com>
Date: Tue, 22 Jul 2014 17:21:24 -0500
Thanks for this suggestion. In r33300, I added TLS_RSA_WITH_AES_128_CBC_SHA to the list of cipher suites in ssl-date and in tls-nextprotoneg, since at least the TLS 1.2 RFC says this suite must be included in compliant implementations "In the absence of an application profile standard specifying otherwise" (https://tools.ietf.org/html/rfc5246#section-9) If this does not solve your problem, we can easily expand these checks to include a few more well-supported cipher suites. Dan On Tue, Jul 22, 2014 at 4:27 PM, <nnposter () users sourceforge net> wrote:
The current version of ssl-date.nse supports only the following three cipher suites: TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_RC4_128_MD5 This restriction is causing issues when used against older Windows systems because they support only the RSA key exchange. This leaves us only with RC4+MD5, which is unreliable because targets tend to have it disabled due to using MD5 or because of the problematic RC4 or simply because the cipher suite is not FIPS-compliant. I am proposing to add a fourth cipher suite that: * Maintains key exchange compatibility by using the RSA key exchange * Is compliant with FIPS (and inherently avoids both RC4 and MD5) The obvious candidate is TLS_RSA_WITH_3DES_EDE_CBC_SHA. Cheers, nnposter Patch against revision 33299 follows: --- scripts/ssl-date.nse.orig 2014-07-22 14:33:19.941974300 -0600 +++ scripts/ssl-date.nse 2014-07-22 14:48:18.570974300 -0600 @@ -59,6 +59,7 @@ ["ciphers"] = { "TLS_ECDHE_RSA_WITH_RC4_128_SHA", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_RSA_WITH_RC4_128_MD5", }, ["compressors"] = {"NULL"}, _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] More cipher suites needed in ssl-date nnposter (Jul 22)
- Re: [NSE] More cipher suites needed in ssl-date Daniel Miller (Jul 22)
- Re: [NSE] More cipher suites needed in ssl-date nnposter (Jul 22)
- Re: [NSE] More cipher suites needed in ssl-date Daniel Miller (Jul 22)
- Re: [NSE] More cipher suites needed in ssl-date nnposter (Jul 22)
- Re: [NSE] More cipher suites needed in ssl-date Daniel Miller (Jul 22)