Nmap Development mailing list archives

TLS cipher strength diffs between nmap and SSL Labs

From: "Chen, Jerry G" <Jerry.Chen () invesco com>
Date: Tue, 28 Jul 2020 17:24:12 +0000

Hi - I used Qualys SSL Labs to test our company's website. The results are here at 
https://www.ssllabs.com/ssltest/analyze.html?d=www.invesco.com&hideResults=on.
It finds 12 ciphers used with only 2 being strong.


But when I use nmap to scan the site, all 12 ciphers are listed as strong.

Do you know whose resultst are more accurate?

Thanks!
Jerry

nmap -sV --script ssl-enum-ciphers -p 443 www.invesco.com


Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-28 12:04 CDT
Nmap scan report for www.invesco.com (142.148.253.74)
Host is up (0.0012s latency).
PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http Apache httpd
| ssl-enum-ciphers:
|   SSLv3: No supported ciphers found
|   TLSv1.0: No supported ciphers found
|   TLSv1.1: No supported ciphers found
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors:
|       NULL
|_  least strength: strong

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.25 seconds





****************************************************************
Confidentiality Note: The information contained in this 
message, and any attachments, may contain confidential 
and/or privileged material.  It is intended solely for the 
person(s) or entity to which it is addressed.  Any review, 
retransmission, dissemination, or taking of any action in
reliance upon this information by persons or entities other 
than the intended recipient(s) is prohibited.  If you received 
this in error, please contact the sender and delete the 
material from any device.
****************************************************************

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

TLS cipher strength diffs between nmap and SSL Labs Chen, Jerry G (Aug 10)
- Re: TLS cipher strength diffs between nmap and SSL Labs Christoph Gruber (Aug 11)
  - Re: TLS cipher strength diffs between nmap and SSL Labs Matthew.Snyder (Aug 11)
- Re: TLS cipher strength diffs between nmap and SSL Labs Daniel Miller (Aug 27)