Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nmap ssl-enum-ciphers fails to enumerate tls 1.3 #1691

Closed
daniejstriata opened this issue Aug 13, 2019 · 13 comments
Closed

nmap ssl-enum-ciphers fails to enumerate tls 1.3 #1691

daniejstriata opened this issue Aug 13, 2019 · 13 comments

Comments

@daniejstriata
Copy link

@daniejstriata daniejstriata commented Aug 13, 2019

Hi,

I installed version 7.80's RPM ( and also from source) on Fedora 30 where I can't get ssl-enum-ciphers to enumerate TLS 1.3 information for a host I know serves TLS 1.3. I only see that the web server serves TLS 1.2 as below:

# nmap -sV --script ssl-enum-ciphers -p 443  <host>
Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-13 14:40 SAST
Nmap scan report for fte1.gs.striata.com (196.38.49.134)
Host is up (0.0087s latency).

PORT    STATE SERVICE VERSION
443/tcp open  ssl/ssl Apache httpd (SSL-only mode)
|_http-server-header: Apache
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp521r1) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp521r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp521r1) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 4096) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 4096) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.94 seconds

Output from Hardenize:
image

Details from my compiled version using Openssl 1.1.1c which supports TLS 1.3:

# nmap --version
Nmap version 7.80 ( https://nmap.org )
Platform: x86_64-unknown-linux-gnu
Compiled with: nmap-liblua-5.3.5 openssl-1.1.1c nmap-libssh2-1.8.2 libz-1.2.11 libpcre-8.43 nmap-libpcap-1.9.0 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

@nnposter
Copy link

@nnposter nnposter commented Aug 13, 2019

Nmap currently does not support TLS 1.3

@dmiller-nmap
Copy link

@dmiller-nmap dmiller-nmap commented Aug 14, 2019

I started updating NSE to TLS 1.3 last year some time, but I haven't had as much time to work on it as I would have liked. That said, it is high on my priority list and I hope to have it finished by the next release (which will not take over a year like Nmap 7.80 did!).

@emanruse
Copy link

@emanruse emanruse commented Oct 1, 2019

Two more issues with that script. Compare:

https://www.ssllabs.com/ssltest/analyze.html?d=cloudflare.com

to

nmap --script ssl-enum-ciphers -p 443 www.cloudflare.com

The issues are:

  1. The order of the 1.2 ciphers is not server-prefered. (the script says cipher preference: client)
  2. Ciphers which SSL Labs lists as weak are reported as 'A' grade by the script.
@moabdira
Copy link

@moabdira moabdira commented Nov 1, 2019

@dmiller-nmap - Just checking, if you were able made to any progress last two months or so? Thanks for doing this!

@Towky
Copy link

@Towky Towky commented Apr 1, 2020

@dmiller-nmap Im looking forward for tls 1.3 support too :)

@xeros
Copy link

@xeros xeros commented May 11, 2020

Now, since TLS 1.2 has been considered as vulnerable, it's getting highly desirable to have TLS 1.3 support.

@emanruse
Copy link

@emanruse emanruse commented May 12, 2020

@areis422
Copy link

@areis422 areis422 commented Jul 24, 2020

I would also like to see 1.3 support.

@SyafiqHadzir
Copy link

@SyafiqHadzir SyafiqHadzir commented Jul 25, 2020

Now, since TLS 1.2 has been considered as vulnerable, it's getting highly desirable to have TLS 1.3 support.

Has TLS 1.2 already been considered as vulnerable?

@nod0n
Copy link

@nod0n nod0n commented Dec 18, 2020

Now, since TLS 1.2 has been considered as vulnerable, it's getting highly desirable to have TLS 1.3 support.

Has TLS 1.2 already been considered as vulnerable?

No, but TLS 1.3 is still the future an is already in use modern systems. A lot Websites don't support TLS 1.3 and more and more websites support TLS 1.2 & 1.3.

@Gregory-N-able
Copy link

@Gregory-N-able Gregory-N-able commented Feb 1, 2021

Now, since TLS 1.2 has been considered as vulnerable, it's getting highly desirable to have TLS 1.3 support.

Has TLS 1.2 already been considered as vulnerable?

TLS 1.2 in and of itself is not considered vulnerable at this time. Certain ciphers available in TLS 1.2 are vulnerable.
https://en.wikipedia.org/wiki/Transport_Layer_Security#Applications_and_adoption

@daniejstriata
Copy link
Author

@daniejstriata daniejstriata commented Feb 5, 2021

I use nmap to perform part in my audit of systems but because it does not support TLS 1.3 I have to use other software to complete my audits where I could've simplified and use fewer tools.

@mbomb007
Copy link

@mbomb007 mbomb007 commented May 24, 2021

SSL Labs successfully enumerates TLS 1.3 ciphers

However, from the command line, you need something like this:

openssl s_client -connect www.example.com:443 -tls1_3

To check only a specific TLSv1.3 cipher, use this:

openssl s_client -connect www.example.com:443 -tls1_3 -ciphersuites TLS_AES_256_GCM_SHA384
openssl s_client -connect www.example.com:443 -tls1_3 -ciphersuites TLS_CHACHA20_POLY1305_SHA256
openssl s_client -connect www.example.com:443 -tls1_3 -ciphersuites TLS_AES_128_GCM_SHA256

Here's a pretty good Bash implementation for TLSv1.3? https://gist.github.com/jahir/23c4202eee12e377ef3acf1dcdc7c776

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet