Deprecate RC4 ciphersuites

CHANGELOG

@@ -1,5 +1,8 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE] ssl-enum-ciphers will cap the score of an RC4-ciphersuite handshake at
+  C and output a warning referencing RFC 7465.
+
 o Changed libdnet-stripped to avoid bailing completely when an interface is
   encountered with an unsupported hardware address type. Caused "INTERFACES:
   NONE FOUND!" bugs in Nmap whenever Linux kernel added new hardware address

nselib/tls.lua

@@ -1076,6 +1076,11 @@ function cipher_info (c)
     info.size = tonumber(tokens[i])
   end
 
+  -- Other key size overrides
+  if info.cipher == "RC4" then -- RFC 7465 prohibits RC4 in TLS
+    info.size = math.min(info.size or 80, 80) -- Equivalently caps to C grade?
+  end
+
   -- hash
   if info.mode == "CCM" then
     info.hash = "SHA256"

scripts/ssl-enum-ciphers.nse

@@ -492,8 +492,8 @@ local function find_ciphers_group(host, port, protocol, group, scores)
             end
             if protocol == "SSLv3" and  info.mode and info.mode == "CBC" then
               scores.warnings["CBC-mode cipher in SSLv3 (CVE-2014-3566)"] = true
-            elseif info.cipher == "RC4" and tls.PROTOCOLS[protocol] >= 0x0302 then
+            elseif info.cipher == "RC4" then
-              scores.warnings["Weak cipher RC4 in TLSv1.1 or newer not needed for BEAST mitigation"] = true
+              scores.warnings["Broken cipher RC4 is deprecated by RFC 7465"] = true
             end
             local kex = tls.KEX_ALGORITHMS[info.kex]
             local extra, kex_strength