Re: [NSE] HUGE ssl-enum-ciphers speed improvement

[David Fifield <david () bamsoftware com>]

On Fri, Jul 13, 2012 at 10:50:24AM -0500, Daniel Miller wrote:
> On 07/12/2012 06:25 PM, David Fifield wrote:
> > You should check if this is the same change Mak Kolybabi tried in 2010:
> > http://seclists.org/nmap-dev/2010/q1/650
> > (Look for "...it starts by offering all ciphers at once...".)
> >
> > There was some problem with this method, the details of which I don't
> > remember, but you should try some of the test cases in this thread:
> > http://seclists.org/nmap-dev/2010/q1/859
> >
> > David Fifield
>
> With the advice from Martyn Tovey to try the ciphers in groups of 64
> or less, I've successfully tested against
> windowsupdate.microsoft.com, coming out with the same results in a
> fraction of the time. My latest test against 5 systems (1 didn't
> have SSL) reduced scan time from 47 seconds to 6.5 seconds, with
> identical results (except for detecting compressors that were missed
> with the old method).
>
> I'm attaching what I feel to be the final version of the script.
> Splitting the ciphers into chunks of 64 means a worst-case extra 3
> handshakes per protocol supported, which I think is not too bad. I
> also changed the compressor detection to always include the NULL
> compressor, and stop checking if the server selects it (since it
> must always be sent, the server will not choose something else if it
> chooses NULL first), which eliminates at least 1 handshake per valid
> protocol. Compressor checking also just sends one cipher (the first
> valid one from cipher detection), to avoid triggering the same
> 64-cipher limit, and to ensure that the handshake will not be
> rejected for a bad cipher.

Nice work. Awesome that you were finally able to solve this problem.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/