Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] Extended ssl-enum-ciphers script

From: Daniel Miller <bonsaiviking () gmail com>
Date: Tue, 12 Aug 2014 15:34:52 -0500
On Tue, Aug 12, 2014 at 12:18 PM, David Fifield <david () bamsoftware com>
wrote:


On Tue, Aug 12, 2014 at 11:15:02AM +0200, Bojan Zdrnja (SANS ISC) wrote:

so with a normal setup on Windows there should
never be a case when more than 64 ciphers are supported.


There definitely were cases in the past where not limiting tests to 64
ciphersuites at a time caused false measurements. An example domain was
windowsupdate.microsoft.com back in 2012.



For the sake of completeness, here is the problem as it occurred, and our
workaround:

* The server supports some number N < 64 ciphersuites.
* We send a number of candidates C > 64 for the server to select from.
* The server (Windows) will only look for supported ciphersuites within the
first 64 candidates.
* As supported ciphersuites are removed from the list of candidates, the
top 64 positions begin to fill with unsupported ciphersuites.
* At the point where the first 64 candidates are non-supported
ciphersuites, but there are supported ciphersuites in positions 65 .. C, we
get a false rejection.
* By only sending 64 or fewer candidates at a time, we prevent false
rejections by only populating the positions that Windows servers will
examine.

Dan
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: