Hi Team,
i encountered some false positif with gb_secpod_ssl_ciphers_weak_report
plugin .
Plugin give the following output :
Server will not support SSLv2 Ciphers.
Server will not support SSLv3 Ciphers.
Server supports TLSv1 ciphers.
Weak Ciphers
SSL3_RSA_NULL_MD5 : SSL_NOT_EXP
SSL3_RSA_NULL_SHA : SSL_NOT_EXP
SSL3_RSA_RC4_40_MD5 : SSL_EXPORT
SSL3_RSA_RC2_40_MD5 : SSL_EXPORT
SSL3_RSA_DES_40_CBC_SHA : SSL_EXPORT
SSL3_DH_DSS_DES_40_CBC_SHA : SSL_EXPORT
SSL3_DH_RSA_DES_40_CBC_SHA : SSL_EXPORT
SSL3_EDH_DSS_DES_40_CBC_SHA : SSL_EXPORT
SSL3_EDH_RSA_DES_40_CBC_SHA : SSL_EXPORT
SSL3_ADH_RC4_40_MD5 : SSL_EXPORT
SSL3_ADH_DES_40_CBC_SHA : SSL_EXPORT
SSL3_FZA_DMS_NULL_SHA : SSL_NOT_EXP
SSL3_FZA_DMS_FZA_SHA : SSL_NOT_EXP
SSL3_FZA_DMS_RC4_SHA : SSL_NOT_EXP
SSL3_KRB5_DES_40_CBC_SHA : SSL_EXPORT
SSL3_KRB5_RC2_40_CBC_SHA : SSL_EXPORT
SSL3_KRB5_RC4_40_SHA : SSL_EXPORT
SSL3_KRB5_DES_40_CBC_MD5 : SSL_EXPORT
SSL3_KRB5_RC2_40_CBC_MD5 : SSL_EXPORT
SSL3_KRB5_RC4_40_MD5 : SSL_EXPORT
SSL3_RSA_EXPORT1024_WITH_RC4_56_MD5 : SSL_EXPORT
SSL3_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 : SSL_EXPORT
SSL3_RSA_EXPORT1024_WITH_DES_CBC_SHA : SSL_EXPORT
SSL3_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA : SSL_EXPORT
SSL3_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA : SSL_EXPORT
SSL3_RSA_WITH_SEED_SHA : SSL_NOT_EXP
SSL3_DH_DSS_WITH_SEED_SHA : SSL_NOT_EXP
SSL3_DH_RSA_WITH_SEED_SHA : SSL_NOT_EXP
SSL3_DHE_DSS_WITH_SEED_SHA : SSL_NOT_EXP
SSL3_DHE_RSA_WITH_SEED_SHA : SSL_NOT_EXP
SSL3_ADH_WITH_SEED_SHA : SSL_NOT_EXP
SSL3_ECDH_ECDSA_WITH_NULL_SHA : SSL_NOT_EXP
SSL3_ECDHE_ECDSA_WITH_NULL_SHA : SSL_NOT_EXP
SSL3_ECDH_RSA_WITH_NULL_SHA : SSL_NOT_EXP
SSL3_ECDHE_RSA_WITH_NULL_SHA : SSL_NOT_EXP
SSL3_ECDH_anon_WITH_NULL_SHA : SSL_NOT_EXP
TLS1_RSA_NULL_MD5 : SSL_NOT_EXP
TLS1_RSA_NULL_SHA : SSL_NOT_EXP
TLS1_RSA_RC4_40_MD5 : SSL_EXPORT
TLS1_RSA_RC2_40_MD5 : SSL_EXPORT
TLS1_RSA_DES_40_CBC_SHA : SSL_EXPORT
TLS1_DH_DSS_DES_40_CBC_SHA : SSL_EXPORT
TLS1_DH_RSA_DES_40_CBC_SHA : SSL_EXPORT
TLS1_EDH_DSS_DES_40_CBC_SHA : SSL_EXPORT
TLS1_EDH_RSA_DES_40_CBC_SHA : SSL_EXPORT
TLS1_ADH_RC4_40_MD5 : SSL_EXPORT
TLS1_ADH_DES_40_CBC_SHA : SSL_EXPORT
TLS1_FZA_DMS_NULL_SHA : SSL_NOT_EXP
TLS1_FZA_DMS_FZA_SHA : SSL_NOT_EXP
TLS1_FZA_DMS_RC4_SHA : SSL_NOT_EXP
TLS1_KRB5_DES_40_CBC_SHA : SSL_EXPORT
TLS1_KRB5_RC2_40_CBC_SHA : SSL_EXPORT
TLS1_KRB5_RC4_40_SHA : SSL_EXPORT
TLS1_KRB5_DES_40_CBC_MD5 : SSL_EXPORT
TLS1_KRB5_RC2_40_CBC_MD5 : SSL_EXPORT
TLS1_KRB5_RC4_40_MD5 : SSL_EXPORT
TLS1_RSA_EXPORT1024_WITH_RC4_56_MD5 : SSL_EXPORT
TLS1_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 : SSL_EXPORT
TLS1_RSA_EXPORT1024_WITH_DES_CBC_SHA : SSL_EXPORT
TLS1_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA : SSL_EXPORT
TLS1_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA : SSL_EXPORT
TLS1_RSA_WITH_SEED_SHA : SSL_NOT_EXP
TLS1_DH_DSS_WITH_SEED_SHA : SSL_NOT_EXP
TLS1_DH_RSA_WITH_SEED_SHA : SSL_NOT_EXP
TLS1_DHE_DSS_WITH_SEED_SHA : SSL_NOT_EXP
TLS1_DHE_RSA_WITH_SEED_SHA : SSL_NOT_EXP
TLS1_ADH_WITH_SEED_SHA : SSL_NOT_EXP
TLS1_ECDH_ECDSA_WITH_NULL_SHA : SSL_NOT_EXP
TLS1_ECDHE_ECDSA_WITH_NULL_SHA : SSL_NOT_EXP
TLS1_ECDH_RSA_WITH_NULL_SHA : SSL_NOT_EXP
TLS1_ECDHE_RSA_WITH_NULL_SHA : SSL_NOT_EXP
TLS1_ECDH_anon_WITH_NULL_SHA : SSL_NOT_EXP
but My SSL Config is :
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:!ADH:!MD5;
ssl_prefer_server_ciphers on;
and a SSLSCAN test give :
Supported Server Cipher(s):
Failed SSLv2 168 bits DES-CBC3-MD5
Failed SSLv2 128 bits IDEA-CBC-MD5
Failed SSLv2 128 bits RC2-CBC-MD5
Failed SSLv2 128 bits RC4-MD5
Failed SSLv2 56 bits DES-CBC-MD5
Failed SSLv2 40 bits EXP-RC2-CBC-MD5
Failed SSLv2 40 bits EXP-RC4-MD5
Accepted SSLv3 256 bits ECDHE-RSA-AES256-SHA
Rejected SSLv3 256 bits ECDHE-ECDSA-AES256-SHA
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
Rejected SSLv3 256 bits DHE-DSS-AES256-SHA
Accepted SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA
Rejected SSLv3 256 bits DHE-DSS-CAMELLIA256-SHA
Accepted SSLv3 256 bits AECDH-AES256-SHA
Rejected SSLv3 256 bits ADH-AES256-SHA
Rejected SSLv3 256 bits ADH-CAMELLIA256-SHA
Rejected SSLv3 256 bits ECDH-RSA-AES256-SHA
Rejected SSLv3 256 bits ECDH-ECDSA-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 256 bits CAMELLIA256-SHA
Failed SSLv3 256 bits PSK-AES256-CBC-SHA
Accepted SSLv3 168 bits ECDHE-RSA-DES-CBC3-SHA
Rejected SSLv3 168 bits ECDHE-ECDSA-DES-CBC3-SHA
Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA
Accepted SSLv3 168 bits AECDH-DES-CBC3-SHA
Rejected SSLv3 168 bits ADH-DES-CBC3-SHA
Rejected SSLv3 168 bits ECDH-RSA-DES-CBC3-SHA
Rejected SSLv3 168 bits ECDH-ECDSA-DES-CBC3-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Failed SSLv3 168 bits PSK-3DES-EDE-CBC-SHA
Accepted SSLv3 128 bits ECDHE-RSA-AES128-SHA
Rejected SSLv3 128 bits ECDHE-ECDSA-AES128-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Rejected SSLv3 128 bits DHE-DSS-AES128-SHA
Rejected SSLv3 128 bits DHE-RSA-SEED-SHA
Rejected SSLv3 128 bits DHE-DSS-SEED-SHA
Accepted SSLv3 128 bits DHE-RSA-CAMELLIA128-SHA
Rejected SSLv3 128 bits DHE-DSS-CAMELLIA128-SHA
Accepted SSLv3 128 bits AECDH-AES128-SHA
Rejected SSLv3 128 bits ADH-AES128-SHA
Rejected SSLv3 128 bits ADH-SEED-SHA
Rejected SSLv3 128 bits ADH-CAMELLIA128-SHA
Rejected SSLv3 128 bits ECDH-RSA-AES128-SHA
Rejected SSLv3 128 bits ECDH-ECDSA-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Rejected SSLv3 128 bits SEED-SHA
Accepted SSLv3 128 bits CAMELLIA128-SHA
Rejected SSLv3 128 bits IDEA-CBC-SHA
Failed SSLv3 128 bits PSK-AES128-CBC-SHA
Rejected SSLv3 128 bits ECDHE-RSA-RC4-SHA
Rejected SSLv3 128 bits ECDHE-ECDSA-RC4-SHA
Rejected SSLv3 128 bits AECDH-RC4-SHA
Rejected SSLv3 128 bits ADH-RC4-MD5
Rejected SSLv3 128 bits ECDH-RSA-RC4-SHA
Rejected SSLv3 128 bits ECDH-ECDSA-RC4-SHA
Rejected SSLv3 128 bits RC4-SHA
Rejected SSLv3 128 bits RC4-MD5
Failed SSLv3 128 bits PSK-RC4-SHA
Rejected SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA
Rejected SSLv3 56 bits ADH-DES-CBC-SHA
Rejected SSLv3 56 bits DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-RC2-CBC-MD5
Rejected SSLv3 40 bits EXP-ADH-RC4-MD5
Rejected SSLv3 40 bits EXP-RC4-MD5
Rejected SSLv3 0 bits ECDHE-RSA-NULL-SHA
Rejected SSLv3 0 bits ECDHE-ECDSA-NULL-SHA
Rejected SSLv3 0 bits AECDH-NULL-SHA
Rejected SSLv3 0 bits ECDH-RSA-NULL-SHA
Rejected SSLv3 0 bits ECDH-ECDSA-NULL-SHA
Rejected SSLv3 0 bits NULL-SHA
Rejected SSLv3 0 bits NULL-MD5
Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
Rejected TLSv1 256 bits ECDHE-ECDSA-AES256-SHA
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Rejected TLSv1 256 bits DHE-DSS-AES256-SHA
Accepted TLSv1 256 bits DHE-RSA-CAMELLIA256-SHA
Rejected TLSv1 256 bits DHE-DSS-CAMELLIA256-SHA
Accepted TLSv1 256 bits AECDH-AES256-SHA
Rejected TLSv1 256 bits ADH-AES256-SHA
Rejected TLSv1 256 bits ADH-CAMELLIA256-SHA
Rejected TLSv1 256 bits ECDH-RSA-AES256-SHA
Rejected TLSv1 256 bits ECDH-ECDSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 256 bits CAMELLIA256-SHA
Failed TLSv1 256 bits PSK-AES256-CBC-SHA
Accepted TLSv1 168 bits ECDHE-RSA-DES-CBC3-SHA
Rejected TLSv1 168 bits ECDHE-ECDSA-DES-CBC3-SHA
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Rejected TLSv1 168 bits EDH-DSS-DES-CBC3-SHA
Accepted TLSv1 168 bits AECDH-DES-CBC3-SHA
Rejected TLSv1 168 bits ADH-DES-CBC3-SHA
Rejected TLSv1 168 bits ECDH-RSA-DES-CBC3-SHA
Rejected TLSv1 168 bits ECDH-ECDSA-DES-CBC3-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Failed TLSv1 168 bits PSK-3DES-EDE-CBC-SHA
Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA
Rejected TLSv1 128 bits ECDHE-ECDSA-AES128-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Rejected TLSv1 128 bits DHE-DSS-AES128-SHA
Rejected TLSv1 128 bits DHE-RSA-SEED-SHA
Rejected TLSv1 128 bits DHE-DSS-SEED-SHA
Accepted TLSv1 128 bits DHE-RSA-CAMELLIA128-SHA
Rejected TLSv1 128 bits DHE-DSS-CAMELLIA128-SHA
Accepted TLSv1 128 bits AECDH-AES128-SHA
Rejected TLSv1 128 bits ADH-AES128-SHA
Rejected TLSv1 128 bits ADH-SEED-SHA
Rejected TLSv1 128 bits ADH-CAMELLIA128-SHA
Rejected TLSv1 128 bits ECDH-RSA-AES128-SHA
Rejected TLSv1 128 bits ECDH-ECDSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Rejected TLSv1 128 bits SEED-SHA
Accepted TLSv1 128 bits CAMELLIA128-SHA
Rejected TLSv1 128 bits IDEA-CBC-SHA
Failed TLSv1 128 bits PSK-AES128-CBC-SHA
Rejected TLSv1 128 bits ECDHE-RSA-RC4-SHA
Rejected TLSv1 128 bits ECDHE-ECDSA-RC4-SHA
Rejected TLSv1 128 bits AECDH-RC4-SHA
Rejected TLSv1 128 bits ADH-RC4-MD5
Rejected TLSv1 128 bits ECDH-RSA-RC4-SHA
Rejected TLSv1 128 bits ECDH-ECDSA-RC4-SHA
Rejected TLSv1 128 bits RC4-SHA
Rejected TLSv1 128 bits RC4-MD5
Failed TLSv1 128 bits PSK-RC4-SHA
Rejected TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Rejected TLSv1 56 bits EDH-DSS-DES-CBC-SHA
Rejected TLSv1 56 bits ADH-DES-CBC-SHA
Rejected TLSv1 56 bits DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-ADH-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-RC2-CBC-MD5
Rejected TLSv1 40 bits EXP-ADH-RC4-MD5
Rejected TLSv1 40 bits EXP-RC4-MD5
Rejected TLSv1 0 bits ECDHE-RSA-NULL-SHA
Rejected TLSv1 0 bits ECDHE-ECDSA-NULL-SHA
Rejected TLSv1 0 bits AECDH-NULL-SHA
Rejected TLSv1 0 bits ECDH-RSA-NULL-SHA
Rejected TLSv1 0 bits ECDH-ECDSA-NULL-SHA
Rejected TLSv1 0 bits NULL-SHA
Rejected TLSv1 0 bits NULL-MD5
off-record from the list, i can give you the IP to reproduce it and
investigate the failure.
--
| Sébastien AUCOUTURIER | Software Design Engineer Lead
| ITrust | 55 rue l'Occitane BP 67303 31673 LABEGE CEDEX
| Email: [email protected]
| Fixe Sdt. 05.67.34.67.80 | Fax. 09.80.08.37.23
| IT Security Services & SaaS Editor
_______________________________________________
Openvas-plugins mailing list
[email protected]
http://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins
