Code Monkey home page Code Monkey logo

Comments (4)

rbsec avatar rbsec commented on July 17, 2024

EXPORT ciphers (40 or 56 bit) have been flagged as weak in sslscan for a long time.

For the weak DHE keys, the --cipher-details option was added in 3820aae to display these. I've made another commit that will highlight weak keys (<=768) and medium strength keys (<=1024) in the output - although I don't have a weak server to test against.

Note that the --cipher-details option requires OpenSSL 1.0.2 (which there's a good chance your system doesn't have) - so you may have to statically build sslscan (make static, rather than just make).

Output will look something like this:

Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256     DHE 2048 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA256         DHE 2048 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA            DHE 2048 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-SEED-SHA              DHE 2048 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-CAMELLIA128-SHA       DHE 2048 bits

from sslscan.

marcvdm avatar marcvdm commented on July 17, 2024

I did not know about the --cipher-details. I must have missed that one.

Thanks for the quick response.

from sslscan.

marcvdm avatar marcvdm commented on July 17, 2024

Only thing i'm missing is the cipher details in the xml output.

Tried to figure out to do it myself in a pull request but i'm not a C developer :(

from sslscan.

rbsec avatar rbsec commented on July 17, 2024

Key bits weren't being reported for DHE ciphers (only ECDHE) - I've fixed that in f49bc1d.

I've also made a change to the XML format; previously there was a "dhebits" attribute on the ciphers that only existed on EC ciphers. This would get a bit confusing if the same attribute was used for both DHE and ECDHE (because ECDHE ones are almost always 256bit, which is secure, but would make parsing them more of a pain to work out which ones were insecure). ECDHE ciphers now have an "ecdhebits" attribute, and normal DHE ciphers have "dhebits".

New XML output should look something like this:

  <cipher status="accepted" sslversion="TLSv1.2" bits="128" cipher="DHE-RSA-CAMELLIA128-SHA" dhebits="2048" />
  <cipher status="accepted" sslversion="TLSv1.2" bits="128" cipher="ECDHE-RSA-RC4-SHA" curve="P-256" ecdhebits="256" />

from sslscan.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.