Nmap Development mailing list archives
Re: ssl-enum-ciphers question
From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 5 Apr 2017 17:09:06 -0500
Robin, One of the ciphers supported uses an Elliptic Curve Cryptography (ECC) key exchange. In this case, ssl-enum-ciphers offers all published ECC curves and lets the server pick one. The server picked the "secp256r1" curve, which is a 256-bit curve having an equivalent strength to 3072-bit RSA. The server's certificate has a key strength that is greater than 3072-bit RSA. This could be 4096-bit RSA or 384-bit ECC. The intent of the warning is to identify servers that are configured to negotiate a weaker connection than the certificate is capable of. This reminds me that we do not currently have a way of enumerating all the ECC curves that a server supports. This would be an interesting data set and could also show a weakness in cipher strength, since named curves go all the way down to 1024-bit equivalent strength, and custom curves can be 512-bit or weaker. Dan On Wed, Apr 5, 2017 at 4:55 PM, Robin Wood <robin@digi.ninja> wrote:
Hi Can anyone explain what this output from the ssl-enum-ciphers script means? | Key exchange (secp256r1) of lower strength than certificate key Thanks Robin _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- ssl-enum-ciphers question Robin Wood (Apr 05)
- Re: ssl-enum-ciphers question Daniel Miller (Apr 05)
- Re: ssl-enum-ciphers question Robin Wood (Apr 05)
- Re: ssl-enum-ciphers question nnposter (Apr 05)
- Re: ssl-enum-ciphers question Robin Wood (Apr 05)
- Re: ssl-enum-ciphers question Robin Wood (Apr 05)
- Re: ssl-enum-ciphers question Daniel Miller (Apr 05)