Re: cipher support

[Daniel Miller <bonsaiviking () gmail com>]

Robin,

Nmap relies on the sslv2 NSE script [1] for SSLv2 detection and cipher
enumeration. It does not require OpenSSL for any of these functions. The
script will show the ciphers that the server provides; SSLv2 is different
than SSLv3 and TLS in this regard, since the server sends a list of
supported ciphers. The list of names that we can translate is admittedly
sparse: only 8 ciphers listed. But any unsupported ones will be reported by
number, so no real information is lost.

Related, the ssl-enum-ciphers script also does not use OpenSSL to determine
the list of supported ciphers. OpenSSL is used to parse the server
certificate to extract necessary key strength information for determining
the "score" of the handshake, but this is secondary to the cipher
enumeration part of the script.

Dan

[1] https://nmap.org/nsedoc/scripts/sslv2.html

On Mon, Oct 12, 2015 at 9:00 AM, Robin Wood <robin@digi.ninja> wrote:

> I've been looking at SSL and found that both sslscan and nmap are
> missing SSLv2 ciphers. From looking at sslscan it needs to be built
> against a static version of openssl which is built to support SSLv2
> and from a tweet by Dan Miller I assume nmap is the same, what is the
> best way to do this?
>
> Luckily I don't think I've not missed anything as Nessus has been
> catching all the SSLv2 that I've come across but I was wondering if it
> is worth adding something to the scripts that test for ciphers so they
> can warn the user if they are likely to miss ciphers due to the
> version of openssl in use?
>
> Robin
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/