Update cipher suites to eliminate anonymous authentication methods

2025-12-30 11:29:01 +00:00 · 2017-07-29 05:55:27 +00:00
parent cf56f93d95
commit 0d21bd42e2
6 changed files with 9 additions and 5 deletions
--- a/4
+++ b/4
@@ -1,5 +1,9 @@
 # Nmap Changelog ($Id$); -*-text-*-

+o Updated the default ciphers list for Ncat and the secure ciphers list for
+  Nsock to use "!aNULL:!eNULL" instead of "!ADH". With the addition of ECDH
+  ciphersuites, anonymous ECDH suites were being allowed. [Daniel Miller]
+
 o [NSE][GH#930] Fix ndmp-version and ndmp-fs-info when scanning Veritas Backup
  Exec Agent 15 or 16. [Andrew Orr]

--- a/ncat/docs/ncat.xml
+++ b/ncat/docs/ncat.xml
@@ -392,7 +392,7 @@
            when connecting to servers or when accepting SSL connections from
            clients. The syntax is described in the OpenSSL ciphers(1) man
            page, and defaults to
-            <literal>ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH</literal></para>
+            <literal>ALL:!aNULL:!eNULL:!LOW:!EXP:!MD5:@STRENGTH</literal></para>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/ncat/docs/ncatguide.xml
+++ b/ncat/docs/ncatguide.xml
@@ -440,7 +440,7 @@ Content-Type: text/html; charset=UTF-8
    client) or accept (as a server) is a matter of choice between the greatest
    compatibility and the greatest security. The default set, expressed as an
    OpenSSL cipherlist, is
-    <literal>ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH</literal>, a reasonable balance
+    <literal>ALL:!aNULL:!eNULL:!LOW:!EXP:!MD5:@STRENGTH</literal>, a reasonable balance
    between the two ends of the spectrum. To set a different priority or
    initial choice, use the <option>--ssl-ciphers</option> option.
    <indexterm><primary><option>--ssl-ciphers</option> (Ncat option)</primary></indexterm>
--- a/ncat/ncat_connect.c
+++ b/ncat/ncat_connect.c
@@ -248,7 +248,7 @@ static void set_ssl_ctx_options(SSL_CTX *ctx)
            bye("The --ssl-key and --ssl-cert options must be used together.");
    }
    if (o.sslciphers == NULL) {
-      if (!SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"))
+      if (!SSL_CTX_set_cipher_list(ctx, "ALL:!aNULL:!eNULL:!LOW:!EXP:!MD5:@STRENGTH"))
        bye("Unable to set OpenSSL cipher list: %s", ERR_error_string(ERR_get_error(), NULL));
    }
    else {
--- a/ncat/ncat_ssl.c
+++ b/ncat/ncat_ssl.c
@@ -197,7 +197,7 @@ SSL_CTX *setup_ssl_listen(void)

    /* Secure ciphers list taken from Nsock. */
    if (o.sslciphers == NULL) {
-      if (!SSL_CTX_set_cipher_list(sslctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"))
+      if (!SSL_CTX_set_cipher_list(sslctx, "ALL:!aNULL:!eNULL:!LOW:!EXP:!MD5:@STRENGTH"))
        bye("Unable to set OpenSSL cipher list: %s", ERR_error_string(ERR_get_error(), NULL));
    }
    else {
--- a/nsock/src/nsock_ssl.c
+++ b/nsock/src/nsock_ssl.c
@@ -71,7 +71,7 @@
 *  OpenSSL. To see exactly what ciphers are enabled, use the command
 *   openssl ciphers -v '...'
 * where ... is the string below. */
-#define CIPHERS_SECURE "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"
+#define CIPHERS_SECURE "ALL:!aNULL:!eNULL:!LOW:!EXP:!MD5:@STRENGTH"

 /* This list of ciphers is for speed and compatibility, not security. Any cipher
 *  is accepted, and the list is sorted by speed based on Brian Hatch's