Re: ssl-enum-ciphers

[Daniel Miller <bonsaiviking () gmail com>]

Dave,

The length is the size in bits of the "p" portion of the DH parameters. For
calculation purposes, it is converted to a RSA-equivalent key strength with
the tls.rsa_equiv function [1].

Dan

[1] https://nmap.org/nsedoc/lib/tls.html#rsa_equiv

On Tue, Jun 2, 2015 at 10:09 AM, Dave Smith <agentsmith77 () gmail com> wrote:

> Hi All,
>
> https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html
>
> Even the documentation page shows a sample output with a key exchange of
> "dh 256", i've seen this repeatedly coming up on a number of specific DHE
> ciphers which are not ECDHE (explaining such a low size).
>
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
>
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
>
> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 128)
>
> TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 128)
>
> TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 128)
>
> TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 128)
>
>
> I tried to find a rational explanation for the difference between a RSA
> Kex and DH in the output , but didn't find it.
>
>
> Could someone confirm if this is expected behaviour, and the brief reason,
> or if it's misinterpreted by the script.
>
>
> This was run on w2008 r2, with SVN 34457
>
>
> thanks, Dave.
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/