Nmap Development mailing list archives
Re: Discussion of Ncat's SSL security choices
From: David Fifield <david () bamsoftware com>
Date: Tue, 6 Jan 2015 20:15:26 -0800
On Tue, Jan 06, 2015 at 09:32:00PM -0600, Daniel Miller wrote:
In addition to bug reports and code submissions, we are using Github Issues to hold some todo items. One of those [1] is to "Audit or review Ncat's use of SSL /TLS." This is really less of an audit of the code, and more of a requirements solicitation. I need you all to put on your thinking caps and help decide how Ncat will handle things like: * Certificate verification * Protocol version (i.e. SSL3, TLS1.2, etc) selection * Certificate revocation checking Or anything else you can think of. This is an important decision, because the use of Ncat is not strictly opt-in any more: Red Hat has adopted Ncat as their default Netcat replacement. Keep this in mind when considering how the average sysadmin will use it, and what behaviors they may expect or require.
Here's some historical background on Ncat SSL: http://seclists.org/nmap-dev/2009/q2/183 Nmap's -sV doesn't care about security, so it uses whatever weak ciphers and SSL versions the server offers. We wanted Ncat to have better options by default, which is why there is now an nsp_ssl_init and nsp_ssl_init_max_speed in nsock/src/nsock_ssl.c. Here's a way to test the Ncat client with SSL Labs: echo -n $'GET /ssltest/viewMyClient.html HTTP/1.0\r\nHost: www.ssllabs.com\r\n\r\n' | ./ncat --ssl -v www.ssllabs.com 443 | sed -e '0,/^\r$/d' > viewMyClient.html For me, it rates these parts as WEAK or INSECURE: TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019) INSECURE TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018) INSECURE TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) WEAK TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) WEAK TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016) INSECURE TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c) WEAK TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002) WEAK TLS_RSA_WITH_RC4_128_SHA (0x5) WEAK TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017) INSECURE I'm surprised at those _anon_ ciphers in there. But I guess they come out of our cipher specification: openssl ciphers 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' includes AECDH-AES256-SHA, AECDH-AES128-SHA, AECDH-RC4-SHA, and AECDH-DES-CBC3-SHA. I guess !ADH excludes anonymous Diffie–Hellman, but not anonymous EC Diffie–Hellman. Here's another way to see the client handshake: tshark -V -Y ssl.handshake.ciphersuites -f "port 443" I'd be in favor of disabling SSLv3. Revocation checking was intimidating when I first looked at it. Even in browsers behavior is not standardized. David Fifield _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Discussion of Ncat's SSL security choices Daniel Miller (Jan 06)
- Re: Discussion of Ncat's SSL security choices David Fifield (Jan 06)
- Re: Discussion of Ncat's SSL security choices Daniel Miller (Jan 06)
- Re: Discussion of Ncat's SSL security choices David Fifield (Jan 06)