Nmap Development mailing list archives
RE: [NSE] ssl-enum-ciphers hosed?
From: "Dario Ciccarone (dciccaro)" <dciccaro () cisco com>
Date: Mon, 15 Mar 2010 07:34:57 -0500
Get the man an abacus ! :) Anyhow . . . While fixing the script - can the (old, deprecated) FIPS ciphersuites be added ? The ones listed at http://www.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuit es.html ? Yes, they're deprecated, but (a) JSSE up to 5.0 allows them to be specified (http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.ht ml#AppA), (b) Firefox sends them out on its Hello message . . . Thanks, Dario
-----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of Ron Sent: Friday, March 12, 2010 12:39 PM To: nmap-dev () insecure org Subject: Re: [NSE] ssl-enum-ciphers hosed? Mak hosed his laptop this week (twice :) ), so he's been working on fixing it. He plans to be back in business this weekend. I passed the message on, he'll sort it out as soon as he can. On Fri, 12 Mar 2010 11:27:57 -0600 "Dario Ciccarone (dciccaro)" <dciccaro () cisco com> wrote:Well, don't know if this is a democracy or what, but yeah - my vote would also go to "old, but working" over "shiny new, but failing" :) I have to get me a t-shirt: "What would Donald Knuth say?" :)-----Original Message----- From: Rob Nicholls [mailto:robert () robnicholls co uk] Sent: Friday, March 12, 2010 12:24 PM To: Dario Ciccarone (dciccaro); nmap-dev () insecure org Subject: RE: [NSE] ssl-enum-ciphers hosed? I emailed Mak 2-3 weeks ago to let him know that I was having similar issues with the faster version of the script (I could see my certificate being returned in Nmap's packet trace, but the script wasn't reporting anything) against my own web server; the original version worked fine, albeit quite slowly. He said he'd fixed it to return some ciphers (possibly the SVN version you tried?), but "it still can't return all seven that ssllabs.com and the old version of my script report". I was hoping Mak would find time to quickly fix it, but perhaps the SVN version should go back to the original version of the script? I'd rather have slow and accurate results than something fast and buggy. Rob -----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of Dario Ciccarone (dciccaro) Sent: 12 March 2010 16:39 To: nmap-dev () insecure org Subject: [NSE] ssl-enum-ciphers hosed? Folks: Test setup: (1) OpenSUSE Linux 11.1 x86, patched as of today. (2) Mac running 10.5.8, all patches as of this writing. Nmap 5.21, freshly built today from source, on Linux & OS/X - downloaded from nmap.org - also tried nmap 4.85BETA3 on the OS/X machine. Downloaded NSE script "ssl-enum-ciphers" from http://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html - run it against test server @ lab, couple other servers - in allcases, itwould either return "nothing", or something like "40,483 compression supported" - and listing "uncompressed" 40K times or so. Or would hang there for a loooong time and basically sit there. In all cases, a tcpdump DID show traffic coming & going - wireshark tagged all SSL ClientHello as "malformed" - but anyhow . . . Grabbed the original version, from Mak, the one he had attached to his email on 02/16 - using that one, it takes seconds to scan, and does produce meaningful results (though wireshark still complains about malformed Hellos) Should be easy to repro in the lab - ssl-enum-ciphers == doesn't work, sslv3-enum == does work. Thanks, Dario _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/-- Ron Bowes http://www.skullsecurity.org http://www.twitter.com/iagox86 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] ssl-enum-ciphers hosed? Dario Ciccarone (dciccaro) (Mar 12)
- RE: [NSE] ssl-enum-ciphers hosed? Rob Nicholls (Mar 12)
- RE: [NSE] ssl-enum-ciphers hosed? Dario Ciccarone (dciccaro) (Mar 12)
- Re: [NSE] ssl-enum-ciphers hosed? Ron (Mar 12)
- RE: [NSE] ssl-enum-ciphers hosed? Dario Ciccarone (dciccaro) (Mar 15)
- Re: [NSE] ssl-enum-ciphers hosed? Mak Kolybabi (Mar 15)
- RE: [NSE] ssl-enum-ciphers hosed? Dario Ciccarone (dciccaro) (Mar 15)
- Re: [NSE] ssl-enum-ciphers hosed? David Fifield (Mar 15)
- Re: [NSE] ssl-enum-ciphers hosed? Mak Kolybabi (Mar 21)
- Re: [NSE] ssl-enum-ciphers hosed? David Fifield (Mar 21)
- RE: [NSE] ssl-enum-ciphers hosed? Dario Ciccarone (dciccaro) (Mar 12)
- Re: [NSE] ssl-enum-ciphers hosed? Thierry Zoller (Mar 15)
- RE: [NSE] ssl-enum-ciphers hosed? Rob Nicholls (Mar 12)