Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nmap ssl-enum-ciphers fails to enumerate tls 1.3 #1691

Closed
daniejstriata opened this issue Aug 13, 2019 · 13 comments
Closed

nmap ssl-enum-ciphers fails to enumerate tls 1.3 #1691

daniejstriata opened this issue Aug 13, 2019 · 13 comments
Labels
enhancement NSE

Comments

@daniejstriata
Copy link

daniejstriata commented Aug 13, 2019
edited

Hi,

I installed version 7.80's RPM ( and also from source) on Fedora 30 where I can't get ssl-enum-ciphers to enumerate TLS 1.3 information for a host I know serves TLS 1.3. I only see that the web server serves TLS 1.2 as below:

# nmap -sV --script ssl-enum-ciphers -p 443  <host>
Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-13 14:40 SAST
Nmap scan report for fte1.gs.striata.com (196.38.49.134)
Host is up (0.0087s latency).

PORT    STATE SERVICE VERSION
443/tcp open  ssl/ssl Apache httpd (SSL-only mode)
|_http-server-header: Apache
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp521r1) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp521r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp521r1) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 4096) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 4096) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.94 seconds

Output from Hardenize:
image

Details from my compiled version using Openssl 1.1.1c which supports TLS 1.3:

# nmap --version
Nmap version 7.80 ( https://nmap.org )
Platform: x86_64-unknown-linux-gnu
Compiled with: nmap-liblua-5.3.5 openssl-1.1.1c nmap-libssh2-1.8.2 libz-1.2.11 libpcre-8.43 nmap-libpcap-1.9.0 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select
@nnposter
Copy link

Nmap currently does not support TLS 1.3

@dmiller-nmap
Copy link

I started updating NSE to TLS 1.3 last year some time, but I haven't had as much time to work on it as I would have liked. That said, it is high on my priority list and I hope to have it finished by the next release (which will not take over a year like Nmap 7.80 did!).

@emanruse
Copy link

emanruse commented Oct 1, 2019

Two more issues with that script. Compare:

https://www.ssllabs.com/ssltest/analyze.html?d=cloudflare.com

to

nmap --script ssl-enum-ciphers -p 443 www.cloudflare.com

The issues are:

  1. The order of the 1.2 ciphers is not server-prefered. (the script says cipher preference: client)
  2. Ciphers which SSL Labs lists as weak are reported as 'A' grade by the script.

@moabdira
Copy link

moabdira commented Nov 1, 2019
edited

@dmiller-nmap - Just checking, if you were able made to any progress last two months or so? Thanks for doing this!

@Towky
Copy link

Towky commented Apr 1, 2020

@dmiller-nmap Im looking forward for tls 1.3 support too :)

@xeros
Copy link

xeros commented May 11, 2020

Now, since TLS 1.2 has been considered as vulnerable, it's getting highly desirable to have TLS 1.3 support.

@emanruse
Copy link

emanruse commented May 12, 2020 via email

@areis422
Copy link

I would also like to see 1.3 support.

@syafiqhadzir
Copy link

Now, since TLS 1.2 has been considered as vulnerable, it's getting highly desirable to have TLS 1.3 support.

Has TLS 1.2 already been considered as vulnerable?

@nod0n
Copy link

nod0n commented Dec 18, 2020

Now, since TLS 1.2 has been considered as vulnerable, it's getting highly desirable to have TLS 1.3 support.

Has TLS 1.2 already been considered as vulnerable?

No, but TLS 1.3 is still the future an is already in use modern systems. A lot Websites don't support TLS 1.3 and more and more websites support TLS 1.2 & 1.3.

@Gregory-N-able
Copy link

Now, since TLS 1.2 has been considered as vulnerable, it's getting highly desirable to have TLS 1.3 support.

Has TLS 1.2 already been considered as vulnerable?

TLS 1.2 in and of itself is not considered vulnerable at this time. Certain ciphers available in TLS 1.2 are vulnerable.
https://en.wikipedia.org/wiki/Transport_Layer_Security#Applications_and_adoption

@daniejstriata
Copy link
Author

daniejstriata commented Feb 5, 2021
edited

I use nmap to perform part in my audit of systems but because it does not support TLS 1.3 I have to use other software to complete my audits where I could've simplified and use fewer tools.

@djds djds mentioned this issue Apr 26, 2021
Merged
@mbomb007
Copy link

mbomb007 commented May 24, 2021
edited

SSL Labs successfully enumerates TLS 1.3 ciphers

However, from the command line, you need something like this:

openssl s_client -connect www.example.com:443 -tls1_3

To check only a specific TLSv1.3 cipher, use this:

openssl s_client -connect www.example.com:443 -tls1_3 -ciphersuites TLS_AES_256_GCM_SHA384
openssl s_client -connect www.example.com:443 -tls1_3 -ciphersuites TLS_CHACHA20_POLY1305_SHA256
openssl s_client -connect www.example.com:443 -tls1_3 -ciphersuites TLS_AES_128_GCM_SHA256

Here's a pretty good Bash implementation for TLSv1.3? https://gist.github.com/jahir/23c4202eee12e377ef3acf1dcdc7c776

@dmiller-nmap dmiller-nmap mentioned this issue Jul 2, 2021
Closed
mzet- pushed a commit to mzet-/Nmap-for-Pen-Testers that referenced this issue Dec 20, 2021
@bonsaiviking @mzet-
TLS 1.3 support for NSE. Fixes nmap#1691
f55c200
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement NSE
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests