diff --git a/CHANGELOG b/CHANGELOG
index 481e9d682..c137216f1 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,10 @@
# Nmap Changelog ($Id$); -*-text-*-
+o [NSE] Rework ssl-enum-ciphers to actually score the strength of the SSL/TLS
+ handshake, including certificate key size and DH parameters if applicable.
+ This is similar to Qualys's SSL Labs scanner, and means that we no longer
+ maintain a list of scores per ciphersuite. [Daniel Miller]
+
o [NSE] Add the signature algorithm that was used to sign the target port's
x509 certificate to the output of ssl-cert.nse [Tom Sellers]
diff --git a/scripts/ssl-enum-ciphers.nse b/scripts/ssl-enum-ciphers.nse
index 91f1e57ca..a063f502c 100644
--- a/scripts/ssl-enum-ciphers.nse
+++ b/scripts/ssl-enum-ciphers.nse
@@ -32,6 +32,10 @@ client offers. In the case of server ordering, the script makes extra probes to
discover the server's sorted preference list. Otherwise, the list is sorted
alphabetically.
+The script will warn about certain SSL misconfigurations such as MD5-signed
+certificates, low-quality ephemeral DH parameters, and the POODLE
+vulnerability.
+
This script is intrusive since it must initiate many connections to a server,
and therefore is quite noisy.
]]
@@ -46,23 +50,23 @@ and therefore is quite noisy.
-- | ssl-enum-ciphers:
-- | SSLv3:
-- | ciphers:
--- | TLS_RSA_WITH_RC4_128_MD5 - A
--- | TLS_RSA_WITH_RC4_128_SHA - A
--- | TLS_RSA_WITH_3DES_EDE_CBC_SHA - E
+-- | TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - A
+-- | TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - A
+-- | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
-- | compressors:
-- | NULL
-- | cipher preference: server
-- | TLSv1.0:
-- | ciphers:
--- | TLS_RSA_WITH_RC4_128_MD5 - A
--- | TLS_RSA_WITH_RC4_128_SHA - A
--- | TLS_RSA_WITH_3DES_EDE_CBC_SHA - E
--- | TLS_RSA_WITH_AES_256_CBC_SHA - A
--- | TLS_RSA_WITH_AES_128_CBC_SHA - A
+-- | TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - A
+-- | TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - A
+-- | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
+-- | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
+-- | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
-- | compressors:
-- | NULL
-- | cipher preference: server
--- |_ least strength: E
+-- |_ least strength: C
--
-- @xmloutput
--
@@ -70,14 +74,17 @@ and therefore is quite noisy.
--
-- TLS_RSA_WITH_RC4_128_MD5
-- A
+-- rsa 2048
--
--
-- TLS_RSA_WITH_RC4_128_SHA
-- A
+-- rsa 2048
--
--
-- TLS_RSA_WITH_3DES_EDE_CBC_SHA
--- E
+-- C
+-- rsa 2048
--
--
--
@@ -90,22 +97,27 @@ and therefore is quite noisy.
--
-- TLS_RSA_WITH_RC4_128_MD5
-- A
+-- rsa 2048
--
--
-- TLS_RSA_WITH_RC4_128_SHA
-- A
+-- rsa 2048
--
--
-- TLS_RSA_WITH_3DES_EDE_CBC_SHA
--- E
+-- C
+-- rsa 2048
--
--
--- TLS_RSA_WITH_AES_256_CBC_SHA
+-- TLS_DHE_RSA_WITH_AES_256_CBC_SHA
-- A
+-- dh 256
--
--
--- TLS_RSA_WITH_AES_128_CBC_SHA
+-- TLS_DHE_RSA_WITH_AES_128_CBC_SHA
-- A
+-- dh 256
--
--
--
@@ -113,7 +125,7 @@ and therefore is quite noisy.
--
-- server
--
--- E
+-- C
author = "Mak Kolybabi , Gabriel Lawrence"