Nmap Development mailing list archives
Re: TLS cipher strength diffs between nmap and SSL Labs
From: <Matthew.Snyder () mt com>
Date: Tue, 11 Aug 2020 11:44:02 +0000
The definition of “Strong” in the instance of NMAP comes from the definitions as provided by OpenSSL via their configurations. If you enable “strong” ciphers, the list provided below are included in the configured cipher streams. These are denoted purely by the amount of effort necessary to produce a collision. SSLLabs focuses on the function of the cipher, and known vulnerabilities and risks. Using this detail, SSLLabs knows that there exists a risk with the CBC format of ciphering – and suggests that these are not necessarily as strong as Counter mode ciphering (GCM, CCM, etc). Regards Matt From: dev <dev-bounces () nmap org> On Behalf Of Christoph Gruber Sent: Tuesday, August 11, 2020 6:32 AM To: Chen, Jerry G <Jerry.Chen () invesco com> Cc: dev () nmap org Subject: Re: EXTERNAL - TLS cipher strength diffs between nmap and SSL Labs Hi! Just my few cents on your question: Use the tools you mentioned to get the facts and a brief proposal how to categorise them, but please judge on your own following your needs and policies. There is no hard rule that says, this is secure, and that is not, the really important question is: Is it secure enough for my needs now? -- Christoph Gruber Am 11.08.2020 um 02:16 schrieb Chen, Jerry G <Jerry.Chen () invesco com<mailto:Jerry.Chen () invesco com>>: Hi – I used Qualys SSL Labs to test our company’s website. The results are here at https://www.ssllabs.com/ssltest/analyze.html?d=www.invesco.com&hideResults=on. It finds 12 ciphers used with only 2 being strong. <Picture (Device Independent Bitmap) 1.jpg> But when I use nmap to scan the site, all 12 ciphers are listed as strong. Do you know whose resultst are more accurate? Thanks! Jerry
nmap -sV --script ssl-enum-ciphers -p 443 www.invesco.com<http://www.invesco.com>
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-28 12:04 CDT Nmap scan report for www.invesco.com<http://www.invesco.com> (142.148.253.74) Host is up (0.0012s latency). PORT STATE SERVICE VERSION 443/tcp open ssl/http Apache httpd | ssl-enum-ciphers: | SSLv3: No supported ciphers found | TLSv1.0: No supported ciphers found | TLSv1.1: No supported ciphers found | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA256 - strong | TLS_RSA_WITH_AES_256_GCM_SHA384 - strong | compressors: | NULL |_ least strength: strong Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.25 seconds **************************************************************** Confidentiality Note: The information contained in this message, and any attachments, may contain confidential and/or privileged material. It is intended solely for the person(s) or entity to which it is addressed. Any review, retransmission, dissemination, or taking of any action in reliance upon this information by persons or entities other than the intended recipient(s) is prohibited. If you received this in error, please contact the sender and delete the material from any device. **************************************************************** _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- TLS cipher strength diffs between nmap and SSL Labs Chen, Jerry G (Aug 10)
- Re: TLS cipher strength diffs between nmap and SSL Labs Christoph Gruber (Aug 11)
- Re: TLS cipher strength diffs between nmap and SSL Labs Matthew.Snyder (Aug 11)
- Re: TLS cipher strength diffs between nmap and SSL Labs Daniel Miller (Aug 27)
- Re: TLS cipher strength diffs between nmap and SSL Labs Christoph Gruber (Aug 11)