PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 04:31:29 +00:00
Code Issues Projects Releases Wiki Activity

Fix some scoring/detection for TLSv1.3 in ssl-enum-ciphers

Browse Source
This commit is contained in:
dmiller
2025-06-02 14:31:42 +00:00
parent 4add49408c
commit 65ec31cf6f
1 changed files with 5 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
scripts/ssl-enum-ciphers.nse
View File

@@ -613,6 +613,7 @@ end
local function find_ciphers_group(host, port, protocol, group, scores) local function find_ciphers_group(host, port, protocol, group, scores)
local results = {} local results = {}
local t = get_hello_table(host, protocol) local t = get_hello_table(host, protocol)
local tls13 = protocol == "TLSv1.3"
-- This is a hacky sort of tristate variable. There are three conditions: -- This is a hacky sort of tristate variable. There are three conditions:
-- 1. false = either ciphers or protocol is bad. Keep trying with new ciphers -- 1. false = either ciphers or protocol is bad. Keep trying with new ciphers
@@ -657,7 +658,7 @@ local function find_ciphers_group(host, port, protocol, group, scores)
ctx_log(2, protocol, "Unexpected record received.") ctx_log(2, protocol, "Unexpected record received.")
break break
end end
if server_hello.protocol ~= protocol then if server_hello.protocol ~= protocol and not server_hello.helloretry then
ctx_log(1, protocol, "Protocol rejected. cipher: %s", server_hello.cipher) ctx_log(1, protocol, "Protocol rejected. cipher: %s", server_hello.cipher)
-- Some implementations will do this if a cipher is supported in some -- Some implementations will do this if a cipher is supported in some
-- other protocol version but not this one. Gotta keep trying. -- other protocol version but not this one. Gotta keep trying.
@@ -697,11 +698,11 @@ local function find_ciphers_group(host, port, protocol, group, scores)
elseif info.cipher == "RC4" then elseif info.cipher == "RC4" then
scores.warnings["Broken cipher RC4 is deprecated by RFC 7465"] = true scores.warnings["Broken cipher RC4 is deprecated by RFC 7465"] = true
end end
if protocol == "TLSv1.3" and not info.tls13ok then if tls13 and not info.tls13ok then
scores.warnings["Non-TLSv1.3 ciphersuite chosen for TLSv1.3"] = true scores.warnings["Non-TLSv1.3 ciphersuite chosen for TLSv1.3"] = true
end end
local kex = tls.KEX_ALGORITHMS[info.kex] local kex = tls.KEX_ALGORITHMS[info.kex]
scores.any_pfs_ciphers = kex.pfs or scores.any_pfs_ciphers scores.any_pfs_ciphers = tls13 or kex.pfs or scores.any_pfs_ciphers
local extra, kex_strength local extra, kex_strength
if kex.export then if kex.export then
scores.warnings["Export key exchange"] = true scores.warnings["Export key exchange"] = true
@@ -755,7 +756,7 @@ local function find_ciphers_group(host, port, protocol, group, scores)
end end
end end
local ske local ske
if protocol == "TLSv1.3" then if tls13 then
ske = server_hello.extensions.key_share ske = server_hello.extensions.key_share
elseif kex.server_key_exchange then elseif kex.server_key_exchange then
ske = get_body(handshake, "type", "server_key_exchange") ske = get_body(handshake, "type", "server_key_exchange")