sslscan icon indicating copy to clipboard operation
sslscan copied to clipboard
verified publisher icon rbsec

Some ciphers are not recognized (but I see them offered in "Server Hello" in tcpdump)

Open michalmiddleton opened this issue 4 years ago • 2 comments

Hi,

I have noticed that some ciphers were not recognized in my scan. sslcan shows all protocols as disabled and no ciphers are listed. However, nmap shows 4 ciphers available.

OS: RHEL 7.9 sslscan: Version: 2.0.10-4-g5224502-static OpenSSL 1.1.1l-dev xx XXX xxxx

(I can provide tcpdump if needed)

sslscan:

$ ./sslscan --verbose <redacted>:443
Version: 2.0.10-4-g5224502-static
OpenSSL 1.1.1l-dev  xx XXX xxxx

Connected to <redacted>

Some servers will fail to response to SSLv3 ciphers over STARTTLS
If your scan hangs, try using the --tlsall option

Testing SSL server <redacted> on port 443 using SNI name <redacted>

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   disabled
TLSv1.3   disabled

  TLS Fallback SCSV:
OpenSSL OpenSSL 1.1.1l-dev  xx XXX xxxx looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation
OpenSSL OpenSSL 1.1.1l-dev  xx XXX xxxx looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation
Server supports TLS Fallback SCSV

  TLS renegotiation:
OpenSSL OpenSSL 1.1.1l-dev  xx XXX xxxx looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation
use_unsafe_renegotiation_op
Session renegotiation not supported

  TLS Compression:
OpenSSL OpenSSL 1.1.1l-dev  xx XXX xxxx looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation
Compression disabled

  Heartbleed:

  Supported Server Cipher(s):

  SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength:    2048

Subject:  <redacted>
Altnames: <redacted>
Issuer:   Sectigo RSA Organization Validation Secure Server CA

Not valid before: Oct  8 00:00:00 2020 GMT
Not valid after:  Nov  8 23:59:59 2021 GMT

nmap:

443/tcp open  https
| ssl-enum-ciphers:
|   SSLv3: No supported ciphers found
|   TLSv1.0: No supported ciphers found
|   TLSv1.1: No supported ciphers found
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors:
|       NULL
|_  least strength: strong

michalmiddleton avatar Jun 30 '21 20:06 michalmiddleton

SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 disabled TLSv1.1 disabled TLSv1.2 disabled TLSv1.3 disabled

I suspect that nothing was found because the protocol detection failed. That's the first step; cipher enumeration is done only on detected protocols.

Is your target server on the public Internet? If so, I could scan it from my end and debug the issue (you can privately send me the hostname/IP at: jtesta at-sign positronsecurity dot com).

Otherwise, I can see if the pcap has anything interesting in it. (FYI, this is harder to do than a live debug session...)

jtesta avatar Jun 30 '21 20:06 jtesta

Hi @jtesta , I sent you a tcpdump capture via email. Unfortunately this is not publicly accessible IP :(

michalmiddleton avatar Jun 30 '21 21:06 michalmiddleton