Re: TLS cipher strength diffs between nmap and SSL Labs

[<Matthew.Snyder () mt com>]

The definition of “Strong” in the instance of NMAP comes from the definitions as provided by OpenSSL via their 
configurations.  If you enable “strong” ciphers, the list provided below are included in the configured cipher streams. 
 These are denoted purely by the amount of effort necessary to produce a collision.  SSLLabs focuses on the function of 
the cipher, and known vulnerabilities and risks.  Using this detail, SSLLabs knows that there exists a risk with the 
CBC format of ciphering – and suggests that these are not necessarily as strong as Counter mode ciphering (GCM, CCM, 
etc).

Regards
Matt

From: dev <dev-bounces () nmap org> On Behalf Of Christoph Gruber
Sent: Tuesday, August 11, 2020 6:32 AM
To: Chen, Jerry G <Jerry.Chen () invesco com>
Cc: dev () nmap org
Subject: Re: EXTERNAL - TLS cipher strength diffs between nmap and SSL Labs

Hi!

Just my few cents on your question:
Use the tools you mentioned to get the facts and a brief proposal how to categorise them, but please judge on your own 
following your needs and policies. There is no hard rule that says, this is secure, and that is not, the really 
important question is: Is it secure enough for my needs now?
--
Christoph Gruber

Am 11.08.2020 um 02:16 schrieb Chen, Jerry G <Jerry.Chen () invesco com<mailto:Jerry.Chen () invesco com>>:

Hi – I used Qualys SSL Labs to test our company’s website. The results are here at 
https://www.ssllabs.com/ssltest/analyze.html?d=www.invesco.com&hideResults=on.
It finds 12 ciphers used with only 2 being strong.
<Picture (Device Independent Bitmap) 1.jpg>

But when I use nmap to scan the site, all 12 ciphers are listed as strong.

Do you know whose resultst are more accurate?

Thanks!
Jerry

> nmap -sV --script ssl-enum-ciphers -p 443 www.invesco.com<http://www.invesco.com>

Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-28 12:04 CDT
Nmap scan report for www.invesco.com<http://www.invesco.com> (142.148.253.74)
Host is up (0.0012s latency).
PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http Apache httpd
| ssl-enum-ciphers:
|   SSLv3: No supported ciphers found
|   TLSv1.0: No supported ciphers found
|   TLSv1.1: No supported ciphers found
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors:
|       NULL
|_  least strength: strong

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.25 seconds





****************************************************************
Confidentiality Note: The information contained in this
message, and any attachments, may contain confidential
and/or privileged material. It is intended solely for the
person(s) or entity to which it is addressed. Any review,
retransmission, dissemination, or taking of any action in
reliance upon this information by persons or entities other
than the intended recipient(s) is prohibited. If you received
this in error, please contact the sender and delete the
material from any device.
****************************************************************
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/