Nmap Development mailing list archives
Re: Order ciphers in preferred server order for ssl-enum-ciphers.nse
From: Richard van den Berg <richard () vdberg org>
Date: Fri, 19 Apr 2013 20:15:17 +0200
On 19-04-13 17:18, Daniel Miller wrote:
I tested your patch today, and I'm afraid that it's not working as expected. I am getting back different orderings from several hosts, both on my own LAN and on the Internet. Using Ndiff to compare from one run to the next shows that the orderings have changed.
I'm seeing the same thing, very interesting. https://www.ssllabs.com/ssltest/analyze.html?d=secwiki.org reports "sorted by strength; server has no preference". It seems openssl has a SSL_OP_CIPHER_SERVER_PREFERENCE flag that apache httpd uses when SSLHonorCipherOrder is set. Apache httpd has this on by default. When off, the client cipher order is used (the first cipher in the client list that the server supports is used). See http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslhonorcipherorder and line 605-607 of https://github.com/openssl/openssl/blob/master/ssl/ssl.h
I'm not sure the best way to proceed. I think the best thing would be to keep the current behavior as a default, and have the script accept a script-arg to enable this type of sorting. That way nobody is surprised by differences in their scan results, and the ability to try to determine cipher-preference is made available if the user wants it.
That seems reasonable, but I think I can make the script determine if the server uses the client cipher order or it's own cipher order (like the Qualys SSL Test site does). Thanks for testing, I'll be back with a new patch! Cheers, Richard _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Order ciphers in preferred server order for ssl-enum-ciphers.nse Richard van den Berg (Apr 19)
- Re: Order ciphers in preferred server order for ssl-enum-ciphers.nse Daniel Miller (Apr 19)
- Re: Order ciphers in preferred server order for ssl-enum-ciphers.nse Richard van den Berg (Apr 19)
- Re: Order ciphers in preferred server order for ssl-enum-ciphers.nse Daniel Miller (Apr 19)