Nmap Development mailing list archives
Re: RFC: Change the order of Nsock SSL connection attempts and fallbacks
From: Brandon Enright <bmenrigh () brandonenright net>
Date: Fri, 20 May 2016 16:22:47 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 20 May 2016 07:59:22 -0500 Daniel Miller <bonsaiviking () gmail com> wrote:
* Some servers are even rejecting SSLv3 handshakes, only accepting TLSv1 and higher.
Hi Dan, I think this point is an important one. With the recent highly publicized SSL bugs, and especially POODLE, SSL 3 is on its way out. SSL Labs (https://www.ssllabs.com/ssltest/) is severely penalizing services that support SSL 3 and in the last ~year a large number of "independent researchers" have been scanning the internet for poorly configured SSL and reporting the results to companies. I think this effort has made SSL 3 somewhat uncommon for user-facing services (mostly https on 443). I bet SSL 2 is virtually extinct on user-facing services. SSL services on other ports are probably still being neglected to some degree. For port 443 my guess is that the best thing to try first is TLS 1.0 and for other ports possibly still SSL23. I'd like to see some empirical data though. All this is to say SSL 2 and 3 are on a rapid decline and it might be time to default to TLS 1.0 for maximum chance of connecting on the first try. Maybe we should add a --ssl23 option to let users override? Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlc/OeMACgkQqaGPzAsl94IEJQCfTTqul6xjfDyD9zSsCrNRAPg3 N3AAnj/Cm9YPaF5peSxvLwk+1OugHCgu =Yd3p -----END PGP SIGNATURE----- _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- RFC: Change the order of Nsock SSL connection attempts and fallbacks Daniel Miller (May 20)
- Re: RFC: Change the order of Nsock SSL connection attempts and fallbacks Brandon Enright (May 20)