Nmap Development mailing list archives
RE: ssl-enum-ciphers not returning all ciphers
From: <Terry.Lemons () dell com>
Date: Tue, 23 Jul 2019 18:01:05 +0000
I have a glimmer of an idea. Here is the result of a nmap probe of my system, where nginx is running behind TCP port 443: lava93141:~ # nmap --script ssl-enum-ciphers -p 443 lava93110.dev.local Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-23 11:53 MDT Nmap scan report for lava93110.dev.local (10.7.93.110) Host is up (0.00047s latency). PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server |_ least strength: A MAC Address: 00:50:56:8A:DC:7F (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds lava93141:~ # Here is the cipher list used by nginx: ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256:AES128-SHA256:AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256"; What’s interesting is that the TLS_ECDHE_RSA* and TLS_RSA* ciphers appear in nmap, and the TLS_DHE_RSA* and TLS_ECDHE_ECDSA* ciphers do not. I have not (yet) provided nginx with a certificate for use of DHE and ECDSA ciphers; could this be why nmap is not showing those ciphers? Thanks tl From: Lemons, Terry Sent: Wednesday, June 26, 2019 10:08 AM To: 'Daniel Miller' Cc: Matthew.Snyder () mt com; dev () nmap org Subject: RE: ssl-enum-ciphers not returning all ciphers Hi Dan Thanks for the reply and the suggestions. I think the openssl s_client message is a red herring, as I see that same message when I run the command with the cipher that IS shown in nmap. I downloaded and tried testssl.sh. The output, run against the same system/port as nmap is, is below. Looking in the section titled “Testing 370 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength”, I see 13 ciphers that seem to closely match the RabbitMQ cipher list, below: ssl_options.ciphers.1 = AES128-GCM-SHA256 ssl_options.ciphers.2 = AES256-GCM-SHA384 ssl_options.ciphers.3 = DHE-RSA-AES256-GCM-SHA384 ssl_options.ciphers.4 = DHE-RSA-AES128-GCM-SHA256 ssl_options.ciphers.5 = DHE-RSA-AES256-SHA256 ssl_options.ciphers.6 = DHE-RSA-AES128-SHA256 ssl_options.ciphers.7 = DHE-RSA-AES256-SHA ssl_options.ciphers.8 = DHE-RSA-AES128-SHA ssl_options.ciphers.9 = ECDHE-RSA-AES128-GCM-SHA256 ssl_options.ciphers.10 = ECDHE-RSA-AES256-SHA384 ssl_options.ciphers.11 = ECDHE-RSA-AES128-GCM-SHA256 ssl_options.ciphers.12 = ECDHE-RSA-AES128-SHA256 ssl_options.ciphers.13 = ECDHE-RSA-AES256-SHA ssl_options.ciphers.14 = ECDHE-RSA-AES128-SHA So, given this testssl.sh output, it seems that we’ve stumbled into an nmap bug. Thoughts? Thanks tl # ./testssl.sh 10.7.110.234:5671 ########################################################### testssl.sh 3.0rc4 from https://testssl.sh/dev/ This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/ ########################################################### Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers] on lava93141:./bin/openssl.Linux.x86_64 (built: "Jan 18 17:12:17 2019", platform: "linux-x86_64") Start 2019-06-26 07:55:03 -->> 10.7.110.234:5671 (10.7.110.234) <<-- rDNS (10.7.110.234): -- Service detected: Couldn't determine what's running on port 5671, assuming no HTTP service => skipping all HTTP checks Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 not offered TLS 1.1 not offered TLS 1.2 offered (OK) TLS 1.3 not offered NPN/SPDY not offered ALPN/HTTP2 not offered Testing cipher categories NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication) not offered (OK) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES, RC[2,4] (w/o export) not offered (OK) Triple DES Ciphers / IDEA not offered (OK) Average: SEED + 128+256 Bit CBC ciphers offered Strong encryption (AEAD ciphers) offered (OK) Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 PFS is offered (OK) ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA Elliptic curves offered: secp160k1 secp160r1 secp160r2 secp192k1 prime192v1 secp224k1 secp224r1 secp256k1 prime256v1 secp384r1 secp521r1 brainpoolP256r1 brainpoolP384r1 brainpoolP512r1 DH group offered: RFC3526/Oakley Group 14 (2048 bits) Testing server preferences Has server cipher order? nope (NOT ok) Negotiated protocol TLSv1.2 Negotiated cipher DHE-RSA-AES256-SHA256, 2048 bit DH -- inconclusive test, matching cipher in list missing, better see below Negotiated cipher per proto (matching cipher in list missing) ECDHE-RSA-AES256-SHA384: TLSv1.2 No further cipher order check has been done as order is determined by the client Testing server defaults (Server Hello) TLS extensions (standard) "EC point formats/#11" "renegotiation info/#65281" Session Ticket RFC 5077 hint (no lifetime advertised) SSL Session ID support yes Session Resumption Connect problem: Ticket resumption test not possible / ID resumption test failed TLS clock skew -7 sec from localtime Signature Algorithm SHA256 with RSA Server key size RSA 2048 bits Server key usage -- Server extended key usage -- Serial / Fingerprints 02 / SHA1 1DDC46720B237E13F8EF836FEA8463D7C50360E6 SHA256 6A9D37CA2D43102B66FC6DD709208C4176375F09E13775E5F5DC332A2ABD4123 Common Name (CN) dpc.sddc.local subjectAltName (SAN) 192.168.2.104 FE80:0:0:0:250:56FF:FE81:5EB0 0:0:0:0:0:0:0:1 127.0.0.1 Issuer dpc.sddc.local DPC ROOT CA (Dell EMC from US) Trust (hostname) certificate does not match supplied URI Chain of trust NOT ok (self signed CA in chain) EV cert (experimental) no "eTLS" (visibility info) not present Certificate Validity (UTC) 3530 >= 60 days (2019-02-26 13:18 --> 2029-02-23 13:18) # of certificates provided 2 Certificate Revocation List -- OCSP URI -- NOT ok -- neither CRL nor OCSP URI provided OCSP stapling not offered OCSP must staple extension -- DNS CAA RR (experimental) not offered Certificate Transparency N/A Testing vulnerabilities Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension CCS (CVE-2014-0224) not vulnerable (OK) Ticketbleed (CVE-2016-9244), experiment. -- (applicable only for HTTPS) ROBOT not vulnerable (OK) Secure Renegotiation (CVE-2009-3555) not vulnerable (OK) Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) (not using HTTP anyway) POODLE, SSL (CVE-2014-3566) not vulnerable (OK) TLS_FALLBACK_SCSV (RFC 7507) No fallback possible, no protocol below TLS 1.2 offered (OK) SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services https://censys.io/ipv4?q=6A9D37CA2D43102B66FC6DD709208C4176375F09E13775E5F5DC332A2ABD4123 could help you to find out LOGJAM (CVE-2015-4000), experimental common prime with 2048 bits detected: RFC3526/Oakley Group 14 (2048 bits), but no DH EXPORT ciphers BEAST (CVE-2011-3389) no SSL3 or TLS1 (OK) LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) Testing 370 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ----------------------------------------------------------------------------------------------------------------------------- xc028 ECDHE-RSA-AES256-SHA384 ECDH 521 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 xc014 ECDHE-RSA-AES256-SHA ECDH 521 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x9f DHE-RSA-AES256-GCM-SHA384 DH 2048 AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 x6b DHE-RSA-AES256-SHA256 DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 x39 DHE-RSA-AES256-SHA DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384 xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 521 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 xc027 ECDHE-RSA-AES128-SHA256 ECDH 521 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 xc013 ECDHE-RSA-AES128-SHA ECDH 521 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x9e DHE-RSA-AES128-GCM-SHA256 DH 2048 AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 x67 DHE-RSA-AES128-SHA256 DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 x33 DHE-RSA-AES128-SHA DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256 Could not determine the protocol, only simulating generic clients. Running client simulations via sockets Android 4.2.2 No connection Android 4.4.2 TLSv1.2 ECDHE-RSA-AES256-SHA, 521 bit ECDH (P-521) Android 5.0.0 TLSv1.2 ECDHE-RSA-AES256-SHA, 521 bit ECDH (P-521) Android 6.0 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) Android 7.0 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) Chrome 65 Win 7 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) Chrome 70 Win 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) Firefox 59 Win 7 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) Firefox 62 Win 7 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) IE 6 XP No connection IE 7 Vista No connection IE 8 Win 7 No connection IE 8 XP No connection IE 11 Win 7 TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) IE 11 Win 8.1 TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) IE 11 Win Phone 8.1 TLSv1.2 ECDHE-RSA-AES128-SHA256, 256 bit ECDH (P-256) IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) Edge 13 Win 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) Edge 13 Win Phone 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) Opera 17 Win 7 TLSv1.2 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Safari 9 iOS 9 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) Safari 9 OS X 10.11 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) Safari 10 OS X 10.12 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) Apple ATS 9 iOS 9 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) Tor 17.0.9 Win 7 No connection Java 6u45 No connection Java 7u25 No connection Java 8u161 TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) Java 9.0.4 TLSv1.2 AES256-GCM-SHA384, No FS OpenSSL 1.0.1l TLSv1.2 ECDHE-RSA-AES256-SHA384, 521 bit ECDH (P-521) OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) Done 2019-06-26 07:55:58 [ 58s] -->> 10.7.110.234:5671 (10.7.110.234) <<-- lava93141:/home/testssl/testssl.sh-3.0rc4 # From: Daniel Miller <bonsaiviking () gmail com<mailto:bonsaiviking () gmail com>> Sent: Wednesday, June 26, 2019 12:20 AM To: Lemons, Terry Cc: Matthew.Snyder () mt com<mailto:Matthew.Snyder () mt com>; dev () nmap org<mailto:dev () nmap org> Subject: Re: ssl-enum-ciphers not returning all ciphers [EXTERNAL EMAIL] Terry, It looks like openssl s_client is also failing to connect, according to these output lines: On Tue, Jun 25, 2019 at 2:30 PM Lemons, Terry <Terry.Lemons () dell com<mailto:Terry.Lemons () dell com>> wrote: 139674829317776:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1498:SSL alert number 40 139674829317776:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: In searching about, it seems that not all ciphers may be supported by every Erlang release. You can follow the directions here to determine if some of your ciphers are not supported: https://www.rabbitmq.com/ssl.html#cipher-suites That said, if you get any other tool (testssl.sh, SSLLabs, openssl s_client, etc.) to show ciphers that Nmap's ssl-enum-ciphers does not show, please let us know so we can investigate. Dan
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- RE: ssl-enum-ciphers not returning all ciphers Terry.Lemons (Jul 23)