Changed weak cipher strength threshold from 128 to 112 bits in script ssl-enum-ciphers. Fixes #474

2025-12-31 11:59:03 +00:00 · 2016-08-11 23:47:31 +00:00
parent 9fafb473d1
commit f3ee542683
1 changed files with 16 additions and 16 deletions
--- a/scripts/ssl-enum-ciphers.nse
+++ b/scripts/ssl-enum-ciphers.nse
@@ -56,9 +56,9 @@ and therefore is quite noisy.
 -- |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
 -- |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
 -- |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
-- |       TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
-- |       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
-- |       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
+-- |       TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - A
+-- |       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - A
+-- |       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - A
 -- |       TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (secp256r1) - C
 -- |       TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
 -- |       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
@@ -78,9 +78,9 @@ and therefore is quite noisy.
 -- |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
 -- |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
 -- |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
-- |       TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
-- |       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
-- |       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
+-- |       TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - A
+-- |       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - A
+-- |       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - A
 -- |       TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (secp256r1) - C
 -- |       TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
 -- |       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
@@ -106,9 +106,9 @@ and therefore is quite noisy.
 -- |       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
 -- |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
 -- |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
-- |       TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
-- |       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
-- |       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
+-- |       TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - A
+-- |       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - A
+-- |       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - A
 -- |       TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (secp256r1) - C
 -- |       TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
 -- |       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
@@ -157,17 +157,17 @@ and therefore is quite noisy.
 --     <table>
 --       <elem key="kex_info">secp256r1</elem>
 --       <elem key="name">TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</elem>
--       <elem key="strength">C</elem>
+--       <elem key="strength">A</elem>
 --     </table>
 --     <table>
 --       <elem key="kex_info">secp256r1</elem>
 --       <elem key="name">TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</elem>
--       <elem key="strength">C</elem>
+--       <elem key="strength">A</elem>
 --     </table>
 --     <table>
 --       <elem key="kex_info">rsa 2048</elem>
 --       <elem key="name">TLS_RSA_WITH_3DES_EDE_CBC_SHA</elem>
--       <elem key="strength">C</elem>
+--       <elem key="strength">A</elem>
 --     </table>
 --     <table>
 --       <elem key="kex_info">secp256r1</elem>
@@ -267,17 +267,17 @@ and therefore is quite noisy.
 --     <table>
 --       <elem key="kex_info">secp256r1</elem>
 --       <elem key="name">TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</elem>
--       <elem key="strength">C</elem>
+--       <elem key="strength">A</elem>
 --     </table>
 --     <table>
 --       <elem key="kex_info">secp256r1</elem>
 --       <elem key="name">TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</elem>
--       <elem key="strength">C</elem>
+--       <elem key="strength">A</elem>
 --     </table>
 --     <table>
 --       <elem key="kex_info">rsa 2048</elem>
 --       <elem key="name">TLS_RSA_WITH_3DES_EDE_CBC_SHA</elem>
--       <elem key="strength">C</elem>
+--       <elem key="strength">A</elem>
 --     </table>
 --     <table>
 --       <elem key="kex_info">secp256r1</elem>
@@ -571,7 +571,7 @@ local function score_cipher (kex_strength, cipher_info)

  if cipher_info.size == 0 then
    return 0
-  elseif cipher_info.size < 128 then
+  elseif cipher_info.size < 112 then
    cipher_score = 0.2
  elseif cipher_info.size < 256 then
    cipher_score = 0.8