Nmap Development mailing list archives
Re: nmap 'ssl-enum-ciphers' does not display all ciphers
From: nnposter <nnposter () users sourceforge net>
Date: Wed, 10 Jan 2018 12:59:27 -0700
On 1/10/18 12:12 PM, Lemons, Terry wrote:
Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-09 20:48 EST
<snip>
| ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | compressors: | NULL | cipher preference: server |_ least strength: A So I like the addition of the 'strength' information. But the basic
issue remains; why doesn't nmap report on all of the ciphers that nginx is making available? I am guessing that the issue is not that Nmap fails to report them. More likely your server is not really supporting them. Let me comment on your individual cipher suites: DHE-RSA-AES256-SHA256 Ephemeral (classic) DH key exchange requires key space definition. Have you configured "ssl_dhparam" in Nginx? ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 Your RSA key/certificate pair is not compatible with these cipher suites. Do you also have ECDSA key/certificate pair configured? ECDH-RSA-AES256-GCM-SHA384 ECDH-RSA-AES128-GCM-SHA256 These cipher suites are using fixed DH key exchange, not ephemeral, and are seldom used. Your RSA key/certificate pair is not compatible. ECDH-ECDSA-AES256-GCM-SHA384 ECDH-ECDSA-AES128-GCM-SHA256 Combination of the previous two points: fixed DH key exchange and requiring ECDSA key/certificate pair. ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 No problem with these ciphers suites. Nmap sees them. Cheers, nnposter _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- nmap 'ssl-enum-ciphers' does not display all ciphers Lemons, Terry (Jan 09)
- Re: nmap 'ssl-enum-ciphers' does not display all ciphers nnposter (Jan 09)
- Message not available
- Re: nmap 'ssl-enum-ciphers' does not display all ciphers nnposter (Jan 10)
- Message not available
- Re: nmap 'ssl-enum-ciphers' does not display all ciphers nnposter (Jan 09)