Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

[NSE] More cipher suites needed in ssl-date

From: nnposter () users sourceforge net
Date: Tue, 22 Jul 2014 21:27:25 +0000
The current version of ssl-date.nse supports only the following three
cipher suites:

TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5

This restriction is causing issues when used against older Windows
systems because they support only the RSA key exchange. This leaves us
only with RC4+MD5, which is unreliable because targets tend to have it
disabled due to using MD5 or because of the problematic RC4 or simply
because the cipher suite is not FIPS-compliant.

I am proposing to add a fourth cipher suite that:

* Maintains key exchange compatibility by using the RSA key exchange
* Is compliant with FIPS (and inherently avoids both RC4 and MD5)

The obvious candidate is TLS_RSA_WITH_3DES_EDE_CBC_SHA.


Cheers,
nnposter



Patch against revision 33299 follows:

--- scripts/ssl-date.nse.orig     2014-07-22 14:33:19.941974300 -0600
+++ scripts/ssl-date.nse      2014-07-22 14:48:18.570974300 -0600
@@ -59,6 +59,7 @@
     ["ciphers"] = {
       "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
       "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
+      "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
       "TLS_RSA_WITH_RC4_128_MD5",
     },
     ["compressors"] = {"NULL"},
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: