Re: RFC: Change the order of Nsock SSL connection attempts and fallbacks

[Brandon Enright <bmenrigh () brandonenright net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 20 May 2016 07:59:22 -0500
Daniel Miller <bonsaiviking () gmail com> wrote:

> * Some servers are even rejecting SSLv3 handshakes, only accepting
> TLSv1 and higher.

Hi Dan, I think this point is an important one. With the recent highly
publicized SSL bugs, and especially POODLE, SSL 3 is on its way out.
SSL Labs (https://www.ssllabs.com/ssltest/) is severely penalizing
services that support SSL 3 and in the last ~year a large number of
"independent researchers" have been scanning the internet for poorly
configured SSL and reporting the results to companies.

I think this effort has made SSL 3 somewhat uncommon for user-facing
services (mostly https on 443).  I bet SSL 2 is virtually extinct on
user-facing services. SSL services on other ports are probably still
being neglected to some degree.

For port 443 my guess is that the best thing to try first is TLS 1.0
and for other ports possibly still SSL23.  I'd like to see some
empirical data though.

All this is to say SSL 2 and 3 are on a rapid decline and it might be
time to default to TLS 1.0 for maximum chance of connecting on the
first try.

Maybe we should add a --ssl23 option to let users override?

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlc/OeMACgkQqaGPzAsl94IEJQCfTTqul6xjfDyD9zSsCrNRAPg3
N3AAnj/Cm9YPaF5peSxvLwk+1OugHCgu
=Yd3p
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/