Nmap Development mailing list archives
Re: [NSE] Extended ssl-enum-ciphers script
From: Daniel Miller <bonsaiviking () gmail com>
Date: Tue, 12 Aug 2014 15:34:52 -0500
On Tue, Aug 12, 2014 at 12:18 PM, David Fifield <david () bamsoftware com> wrote:
On Tue, Aug 12, 2014 at 11:15:02AM +0200, Bojan Zdrnja (SANS ISC) wrote:so with a normal setup on Windows there should never be a case when more than 64 ciphers are supported.There definitely were cases in the past where not limiting tests to 64 ciphersuites at a time caused false measurements. An example domain was windowsupdate.microsoft.com back in 2012.
For the sake of completeness, here is the problem as it occurred, and our workaround: * The server supports some number N < 64 ciphersuites. * We send a number of candidates C > 64 for the server to select from. * The server (Windows) will only look for supported ciphersuites within the first 64 candidates. * As supported ciphersuites are removed from the list of candidates, the top 64 positions begin to fill with unsupported ciphersuites. * At the point where the first 64 candidates are non-supported ciphersuites, but there are supported ciphersuites in positions 65 .. C, we get a false rejection. * By only sending 64 or fewer candidates at a time, we prevent false rejections by only populating the positions that Windows servers will examine. Dan _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] Extended ssl-enum-ciphers script, (continued)
- Re: [NSE] Extended ssl-enum-ciphers script Daniel Miller (Aug 10)
- Re: [NSE] Extended ssl-enum-ciphers script Bojan Zdrnja (SANS ISC) (Aug 10)
- Re: [NSE] Extended ssl-enum-ciphers script Daniel Miller (Aug 11)
- Re: [NSE] Extended ssl-enum-ciphers script Royce Williams (Aug 11)
- Re: [NSE] Extended ssl-enum-ciphers script Daniel Miller (Aug 12)
- Re: [NSE] Extended ssl-enum-ciphers script Royce Williams (Aug 12)
- Re: [NSE] Extended ssl-enum-ciphers script Daniel Miller (Aug 12)
- Re: [NSE] Extended ssl-enum-ciphers script Bojan Zdrnja (SANS ISC) (Aug 10)
- Re: [NSE] Extended ssl-enum-ciphers script Daniel Miller (Aug 10)
- Re: [NSE] Extended ssl-enum-ciphers script Bojan Zdrnja (SANS ISC) (Aug 12)
- Re: [NSE] Extended ssl-enum-ciphers script Daniel Miller (Aug 12)
- Re: [NSE] Extended ssl-enum-ciphers script David Fifield (Aug 12)
- Re: [NSE] Extended ssl-enum-ciphers script Daniel Miller (Aug 12)