Re: Order ciphers in preferred server order for ssl-enum-ciphers.nse

[Richard van den Berg <richard () vdberg org>]

On 19-04-13 17:18, Daniel Miller wrote:
> I tested your patch today, and I'm afraid that it's not working as
> expected. I am getting back different orderings from several hosts,
> both on my own LAN and on the Internet. Using Ndiff to compare from
> one run to the next shows that the orderings have changed. 

I'm seeing the same thing, very interesting.
https://www.ssllabs.com/ssltest/analyze.html?d=secwiki.org reports
"sorted by strength; server has no preference". It seems openssl has a
SSL_OP_CIPHER_SERVER_PREFERENCE flag that apache httpd uses when
SSLHonorCipherOrder is set. Apache httpd has this on by default. When
off, the client cipher order is used (the first cipher in the client
list that the server supports is used). See
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslhonorcipherorder
and line 605-607 of https://github.com/openssl/openssl/blob/master/ssl/ssl.h

> I'm not sure the best way to proceed. I think the best thing would be
> to keep the current behavior as a default, and have the script accept
> a script-arg to enable this type of sorting. That way nobody is
> surprised by differences in their scan results, and the ability to try
> to determine cipher-preference is made available if the user wants it.

That seems reasonable, but I think I can make the script determine if
the server uses the client cipher order or it's own cipher order (like
the Qualys SSL Test site does).

Thanks for testing, I'll be back with a new patch!

Cheers,

Richard
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/