From 0d21bd42e272c7ff16cf1bd9bb09a2dc050f090b Mon Sep 17 00:00:00 2001 From: dmiller Date: Sat, 29 Jul 2017 05:55:27 +0000 Subject: [PATCH] Update cipher suites to eliminate anonymous authentication methods --- CHANGELOG | 4 ++++ ncat/docs/ncat.xml | 2 +- ncat/docs/ncatguide.xml | 2 +- ncat/ncat_connect.c | 2 +- ncat/ncat_ssl.c | 2 +- nsock/src/nsock_ssl.c | 2 +- 6 files changed, 9 insertions(+), 5 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index ae10c330a..fefa210b0 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,9 @@ # Nmap Changelog ($Id$); -*-text-*- +o Updated the default ciphers list for Ncat and the secure ciphers list for + Nsock to use "!aNULL:!eNULL" instead of "!ADH". With the addition of ECDH + ciphersuites, anonymous ECDH suites were being allowed. [Daniel Miller] + o [NSE][GH#930] Fix ndmp-version and ndmp-fs-info when scanning Veritas Backup Exec Agent 15 or 16. [Andrew Orr] diff --git a/ncat/docs/ncat.xml b/ncat/docs/ncat.xml index ee159926a..1dd88ee00 100644 --- a/ncat/docs/ncat.xml +++ b/ncat/docs/ncat.xml @@ -392,7 +392,7 @@ when connecting to servers or when accepting SSL connections from clients. The syntax is described in the OpenSSL ciphers(1) man page, and defaults to - ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH + ALL:!aNULL:!eNULL:!LOW:!EXP:!MD5:@STRENGTH diff --git a/ncat/docs/ncatguide.xml b/ncat/docs/ncatguide.xml index ec5a3efb5..ec401a5fa 100644 --- a/ncat/docs/ncatguide.xml +++ b/ncat/docs/ncatguide.xml @@ -440,7 +440,7 @@ Content-Type: text/html; charset=UTF-8 client) or accept (as a server) is a matter of choice between the greatest compatibility and the greatest security. The default set, expressed as an OpenSSL cipherlist, is - ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH, a reasonable balance + ALL:!aNULL:!eNULL:!LOW:!EXP:!MD5:@STRENGTH, a reasonable balance between the two ends of the spectrum. To set a different priority or initial choice, use the option. (Ncat option) diff --git a/ncat/ncat_connect.c b/ncat/ncat_connect.c index 6ab2e241c..51f061ee3 100644 --- a/ncat/ncat_connect.c +++ b/ncat/ncat_connect.c @@ -248,7 +248,7 @@ static void set_ssl_ctx_options(SSL_CTX *ctx) bye("The --ssl-key and --ssl-cert options must be used together."); } if (o.sslciphers == NULL) { - if (!SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH")) + if (!SSL_CTX_set_cipher_list(ctx, "ALL:!aNULL:!eNULL:!LOW:!EXP:!MD5:@STRENGTH")) bye("Unable to set OpenSSL cipher list: %s", ERR_error_string(ERR_get_error(), NULL)); } else { diff --git a/ncat/ncat_ssl.c b/ncat/ncat_ssl.c index 2b1516044..dbebef957 100644 --- a/ncat/ncat_ssl.c +++ b/ncat/ncat_ssl.c @@ -197,7 +197,7 @@ SSL_CTX *setup_ssl_listen(void) /* Secure ciphers list taken from Nsock. */ if (o.sslciphers == NULL) { - if (!SSL_CTX_set_cipher_list(sslctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH")) + if (!SSL_CTX_set_cipher_list(sslctx, "ALL:!aNULL:!eNULL:!LOW:!EXP:!MD5:@STRENGTH")) bye("Unable to set OpenSSL cipher list: %s", ERR_error_string(ERR_get_error(), NULL)); } else { diff --git a/nsock/src/nsock_ssl.c b/nsock/src/nsock_ssl.c index 5dae25d4f..ba7b2dd77 100644 --- a/nsock/src/nsock_ssl.c +++ b/nsock/src/nsock_ssl.c @@ -71,7 +71,7 @@ * OpenSSL. To see exactly what ciphers are enabled, use the command * openssl ciphers -v '...' * where ... is the string below. */ -#define CIPHERS_SECURE "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH" +#define CIPHERS_SECURE "ALL:!aNULL:!eNULL:!LOW:!EXP:!MD5:@STRENGTH" /* This list of ciphers is for speed and compatibility, not security. Any cipher * is accepted, and the list is sorted by speed based on Brian Hatch's