Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] HUGE ssl-enum-ciphers speed improvement

From: Daniel Miller <bonsaiviking () gmail com>
Date: Fri, 13 Jul 2012 17:26:49 -0500
On 07/13/2012 10:50 AM, Daniel Miller wrote:

On 07/12/2012 06:25 PM, David Fifield wrote:

You should check if this is the same change Mak Kolybabi tried in 2010:
http://seclists.org/nmap-dev/2010/q1/650
(Look for "...it starts by offering all ciphers at once...".)

There was some problem with this method, the details of which I don't
remember, but you should try some of the test cases in this thread:
http://seclists.org/nmap-dev/2010/q1/859

David Fifield
With the advice from Martyn Tovey to try the ciphers in groups of 64 or less, I've successfully tested against windowsupdate.microsoft.com, coming out with the same results in a fraction of the time. My latest test against 5 systems (1 didn't have SSL) reduced scan time from 47 seconds to 6.5 seconds, with identical results (except for detecting compressors that were missed with the old method).
I'm attaching what I feel to be the final version of the script. Splitting the ciphers into chunks of 64 means a worst-case extra 3 handshakes per protocol supported, which I think is not too bad. I also changed the compressor detection to always include the NULL compressor, and stop checking if the server selects it (since it must always be sent, the server will not choose something else if it chooses NULL first), which eliminates at least 1 handshake per valid protocol. Compressor checking also just sends one cipher (the first valid one from cipher detection), to avoid triggering the same 64-cipher limit, and to ensure that the handshake will not be rejected for a bad cipher. 

Thanks for all the feedback on this! More testing is appreciated.

Dan
A quick followup: I did more testing, this time against 29 servers on the Internet (just grabbed the latest test results from https://www.ssllabs.com/ssltest/index.html), and came up with the same results against all of them. I also tested against a local Apache server, Cisco Security Appliance, Linksys home router, HP Printer (my script finished, original script killed it, had to reboot), openssl s_server, ncat --ssl, and my CUPS server. All with positive results.
I'm going to commit this. It's not a default script, so there won't be as much impact, but I'll publicize and try to get more testers. I'm also committing a large addition (147 new ciphers) based on the IANA public registry (https://www.iana.org/assignments/tls-parameters/) and a description of previously implemented ciphersuites from the tls () ietf org mailing list (https://www.ietf.org/mail-archive/web/tls/current/msg00036.html). Patch attached. Most notably, removed TLS_RENEGO_PROTECTION_REQUEST, which is not a cipher but a flag (officially named TLS_EMPTY_RENEGOTIATION_INFO_SCSV), extended the name of TLS_KRB5_WITH_DES_CBC_SHA to reflect its alternate meaning under SSLv3 (SSL_FORTEZZA_KEA_WITH_RC4_128_SHA), and added uncontested ciphers from draft-chudov-cryptopro-cptls-04 (GOST ciphers distributed with OpenSSL, but not often fielded), draft-ietf-tls-ecc-00 (Numbers changed later in RFC4492, but not before being implemented in OpenSSL), and draft-ietf-tls-openpgp-keys-05 (Also implemented before draft was modified to use existing cipher suites).
Even with the new ciphers, this script finishes quickly. Thanks for all the help, and please continue to test! 

Dan

Attachment: ciphers.diff
Description: 

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: