Nmap Development mailing list archives

Re: TLS cipher strength diffs between nmap and SSL Labs

From: Christoph Gruber <list () guru at>
Date: Tue, 11 Aug 2020 12:32:28 +0200

Hi!

Just my few cents on your question:
Use the tools you mentioned to get the facts and a brief proposal how to categorise them, but please judge on your own 
following your needs and policies. There is no hard rule that says, this is secure, and that is not, the really 
important question is: Is it secure enough for my needs now?

-- 
Christoph Gruber

Am 11.08.2020 um 02:16 schrieb Chen, Jerry G <Jerry.Chen () invesco com>:


Hi – I used Qualys SSL Labs to test our company’s website. The results are here at 
https://www.ssllabs.com/ssltest/analyze.html?d=www.invesco.com&hideResults=on.
It finds 12 ciphers used with only 2 being strong.
<Picture (Device Independent Bitmap) 1.jpg>
 
But when I use nmap to scan the site, all 12 ciphers are listed as strong.
 
Do you know whose resultst are more accurate?
 
Thanks!
Jerry

nmap -sV --script ssl-enum-ciphers -p 443 www.invesco.com

 
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-28 12:04 CDT
Nmap scan report for www.invesco.com (142.148.253.74)
Host is up (0.0012s latency).
PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http Apache httpd
| ssl-enum-ciphers:
|   SSLv3: No supported ciphers found
|   TLSv1.0: No supported ciphers found
|   TLSv1.1: No supported ciphers found
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors:
|       NULL
|_  least strength: strong
 
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.25 seconds
 
 
 
 
 
****************************************************************
Confidentiality Note: The information contained in this 
message, and any attachments, may contain confidential 
and/or privileged material. It is intended solely for the 
person(s) or entity to which it is addressed. Any review, 
retransmission, dissemination, or taking of any action in
reliance upon this information by persons or entities other 
than the intended recipient(s) is prohibited. If you received 
this in error, please contact the sender and delete the 
material from any device.
****************************************************************
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

TLS cipher strength diffs between nmap and SSL Labs Chen, Jerry G (Aug 10)
- Re: TLS cipher strength diffs between nmap and SSL Labs Christoph Gruber (Aug 11)
  - Re: TLS cipher strength diffs between nmap and SSL Labs Matthew.Snyder (Aug 11)
- Re: TLS cipher strength diffs between nmap and SSL Labs Daniel Miller (Aug 27)