Re: TLS cipher strength diffs between nmap and SSL Labs

[Daniel Miller <bonsaiviking () gmail com>]

Jerry,

The version of Nmap you are using (6.40) is 7 years old. The version of the
script it uses only scores the encryption strength of the ciphersuite
itself. The current version also considers the strength of the handshake
key (DH parameters or RSA key) and will warn for some specific problems.

That is only part of the story, however; even the current version lists all
parameters as having an "A" score. Qualys is downgrading some specific
things, namely  all CBC ciphersuites and all ciphersuites without Forward
Secrecy (ECHDE or DHE). Nmap has not gone so far as downgrading these
things, though we may do so in a future release.

Dan

On Mon, Aug 10, 2020 at 7:15 PM Chen, Jerry G <Jerry.Chen () invesco com>
wrote:

> Hi – I used Qualys SSL Labs to test our company’s website. The results are
> here at
> *https://www.ssllabs.com/ssltest/analyze.html?d=www.invesco.com&hideResults=on*
> <https://www.ssllabs.com/ssltest/analyze.html?d=www.invesco.com&hideResults=on>
> .
> It finds 12 ciphers used with only 2 being strong.
>
> But when I use nmap to scan the site, all 12 ciphers are listed as strong.
>
> Do you know whose resultst are more accurate?
>
> Thanks!
> Jerry
>
> > nmap -sV --script ssl-enum-ciphers -p 443 www.invesco.com
>
> Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-28 12:04 CDT
> Nmap scan report for www.invesco.com (142.148.253.74)
> Host is up (0.0012s latency).
> PORT    STATE SERVICE  VERSION
> 443/tcp open  ssl/http Apache httpd
> | ssl-enum-ciphers:
> |   SSLv3: No supported ciphers found
> |   TLSv1.0: No supported ciphers found
> |   TLSv1.1: No supported ciphers found
> |   TLSv1.2:
> |     ciphers:
> |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
> |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
> |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
> |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
> |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
> |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
> |       TLS_RSA_WITH_AES_128_CBC_SHA - strong
> |       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
> |       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
> |       TLS_RSA_WITH_AES_256_CBC_SHA - strong
> |       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
> |       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
> |     compressors:
> |       NULL
> |_  least strength: strong
>
> Service detection performed. Please report any incorrect results at
> http://nmap.org/submit/ .
> Nmap done: 1 IP address (1 host up) scanned in 12.25 seconds
>
>
>
>
>
> ****************************************************************
> Confidentiality Note: The information contained in this
> message, and any attachments, may contain confidential
> and/or privileged material. It is intended solely for the
> person(s) or entity to which it is addressed. Any review,
> retransmission, dissemination, or taking of any action in
> reliance upon this information by persons or entities other
> than the intended recipient(s) is prohibited. If you received
> this in error, please contact the sender and delete the
> material from any device.
> ****************************************************************
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/