Nmap Development mailing list archives

Bug Report: ssl-enum-ciphers fails (EOF) on CloudFront/ECDSA targets supporting TLS 1.2

From: Jack Seredyniecki via dev <dev () nmap org>
Date: Thu, 2 Apr 2026 16:29:33 -0400

Hello nmap dev team,

I am reporting a false negative where ssl-enum-ciphers fails to detect TLS
1.2 on a CloudFront target (itwisegroup.com:443) that uses an ECDSA
certificate and Post-Quantum hybrid key exchange (X25519MLKEM768).
While sslscan and openssl confirm TLS 1.2 is active, Nmap reports only TLS
1.3. My debug logs show the server is dropping the connection (EOF) during
the Nmap TLS 1.2 handshake attempt:
NSE: [ssl-enum-ciphers 18.67.65.27:443] (TLSv1.2) Couldn't read a TLS
record: EOF
Attached/Below is the full output of:
nmap -p 443 --script ssl-enum-ciphers --script-trace -d itwisegroup.com

System Info:
Nmap Version: 7.99
Platform: FreeBSD 15.0-RELEASE-p5 (also tested on macOS 26.3.1)
OpenSSL Version: 3.2.1

Please let me know if you need any additional information and thanks for
looking into this!

Attachment: nmap799_trace_sanitized.txt
Description:

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at https://seclists.org/nmap-dev/

Current thread:

Bug Report: ssl-enum-ciphers fails (EOF) on CloudFront/ECDSA targets supporting TLS 1.2 Jack Seredyniecki via dev (Apr 14)