nmap ssl-enum-ciphers fails to enumerate tls 1.3 #1691
I installed version 7.80's RPM ( and also from source) on Fedora 30 where I can't get ssl-enum-ciphers to enumerate TLS 1.3 information for a host I know serves TLS 1.3. I only see that the web server serves TLS 1.2 as below:
Details from my compiled version using Openssl 1.1.1c which supports TLS 1.3:
The text was updated successfully, but these errors were encountered:
I started updating NSE to TLS 1.3 last year some time, but I haven't had as much time to work on it as I would have liked. That said, it is high on my priority list and I hope to have it finished by the next release (which will not take over a year like Nmap 7.80 did!).
Two more issues with that script. Compare:
The issues are:
No, but TLS 1.3 is still the future an is already in use modern systems. A lot Websites don't support TLS 1.3 and more and more websites support TLS 1.2 & 1.3.
TLS 1.2 in and of itself is not considered vulnerable at this time. Certain ciphers available in TLS 1.2 are vulnerable.
SSL Labs successfully enumerates TLS 1.3 ciphers
However, from the command line, you need something like this:
openssl s_client -connect www.example.com:443 -tls1_3
To check only a specific TLSv1.3 cipher, use this:
openssl s_client -connect www.example.com:443 -tls1_3 -ciphersuites TLS_AES_256_GCM_SHA384
openssl s_client -connect www.example.com:443 -tls1_3 -ciphersuites TLS_CHACHA20_POLY1305_SHA256
openssl s_client -connect www.example.com:443 -tls1_3 -ciphersuites TLS_AES_128_GCM_SHA256
Here's a pretty good Bash implementation for TLSv1.3? https://gist.github.com/jahir/23c4202eee12e377ef3acf1dcdc7c776