Re: nmap 'ssl-enum-ciphers' does not display all ciphers

[nnposter <nnposter () users sourceforge net>]

On 1/10/18 12:12 PM, Lemons, Terry wrote:
> Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-09 20:48 EST
<snip>
> | ssl-enum-ciphers:
> |   TLSv1.2:
> |     ciphers:
> |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
> |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
> |     compressors:
> |       NULL
> |     cipher preference: server
> |_  least strength: A
>
> So I like the addition of the 'strength' information.  But the basic
issue remains; why doesn't nmap report on all of the ciphers that nginx
is making available?


I am guessing that the issue is not that Nmap fails to report them. More
likely your server is not really supporting them.

Let me comment on your individual cipher suites:

DHE-RSA-AES256-SHA256
Ephemeral (classic) DH key exchange requires key space definition. Have
you configured "ssl_dhparam" in Nginx?

ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
Your RSA key/certificate pair is not compatible with these cipher
suites. Do you also have ECDSA key/certificate pair configured?

ECDH-RSA-AES256-GCM-SHA384
ECDH-RSA-AES128-GCM-SHA256
These cipher suites are using fixed DH key exchange, not ephemeral, and
are seldom used. Your RSA key/certificate pair is not compatible.

ECDH-ECDSA-AES256-GCM-SHA384
ECDH-ECDSA-AES128-GCM-SHA256
Combination of the previous two points: fixed DH key exchange and
requiring ECDSA key/certificate pair.

ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
No problem with these ciphers suites. Nmap sees them.


Cheers,
nnposter




_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/