-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Sebastien,
Thank you for reporting. According to below report, it listed week cipher list only. To get supported cipher list please enable "List SSL Supported Ciphers" in the preference (the plugin might take good amount of time to complete, it is advised to increase the plugin timeout, if no results appear), so that it can be compared with SSLSCAN which is listing supported ciphers. Please let us know, if you still find false positive. If possible, try SSL-Enum as well http://code.google.com/p/ssl-enum In the below report it said "Server will not support SSLv3 Ciphers." but it listed SSLv3 weak ciphers. It seems that message should not come. We will investigate on this issue. Please do share the IP to reproduce the issue. my email id [email protected] Thanks! Veerendra On Thursday 26 July 2012 09:22 PM, Sebastien Aucouturier wrote: > Hi Team, > i encountered some false positif with gb_secpod_ssl_ciphers_weak_report > plugin . > > Plugin give the following output : > > Server will not support SSLv2 Ciphers. > Server will not support SSLv3 Ciphers. > Server supports TLSv1 ciphers. > > Weak Ciphers > SSL3_RSA_NULL_MD5 : SSL_NOT_EXP > SSL3_RSA_NULL_SHA : SSL_NOT_EXP > SSL3_RSA_RC4_40_MD5 : SSL_EXPORT > SSL3_RSA_RC2_40_MD5 : SSL_EXPORT > SSL3_RSA_DES_40_CBC_SHA : SSL_EXPORT > SSL3_DH_DSS_DES_40_CBC_SHA : SSL_EXPORT > SSL3_DH_RSA_DES_40_CBC_SHA : SSL_EXPORT > SSL3_EDH_DSS_DES_40_CBC_SHA : SSL_EXPORT > SSL3_EDH_RSA_DES_40_CBC_SHA : SSL_EXPORT > SSL3_ADH_RC4_40_MD5 : SSL_EXPORT > SSL3_ADH_DES_40_CBC_SHA : SSL_EXPORT > SSL3_FZA_DMS_NULL_SHA : SSL_NOT_EXP > SSL3_FZA_DMS_FZA_SHA : SSL_NOT_EXP > SSL3_FZA_DMS_RC4_SHA : SSL_NOT_EXP > SSL3_KRB5_DES_40_CBC_SHA : SSL_EXPORT > SSL3_KRB5_RC2_40_CBC_SHA : SSL_EXPORT > SSL3_KRB5_RC4_40_SHA : SSL_EXPORT > SSL3_KRB5_DES_40_CBC_MD5 : SSL_EXPORT > SSL3_KRB5_RC2_40_CBC_MD5 : SSL_EXPORT > SSL3_KRB5_RC4_40_MD5 : SSL_EXPORT > SSL3_RSA_EXPORT1024_WITH_RC4_56_MD5 : SSL_EXPORT > SSL3_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 : SSL_EXPORT > SSL3_RSA_EXPORT1024_WITH_DES_CBC_SHA : SSL_EXPORT > SSL3_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA : SSL_EXPORT > SSL3_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA : SSL_EXPORT > SSL3_RSA_WITH_SEED_SHA : SSL_NOT_EXP > SSL3_DH_DSS_WITH_SEED_SHA : SSL_NOT_EXP > SSL3_DH_RSA_WITH_SEED_SHA : SSL_NOT_EXP > SSL3_DHE_DSS_WITH_SEED_SHA : SSL_NOT_EXP > SSL3_DHE_RSA_WITH_SEED_SHA : SSL_NOT_EXP > SSL3_ADH_WITH_SEED_SHA : SSL_NOT_EXP > SSL3_ECDH_ECDSA_WITH_NULL_SHA : SSL_NOT_EXP > SSL3_ECDHE_ECDSA_WITH_NULL_SHA : SSL_NOT_EXP > SSL3_ECDH_RSA_WITH_NULL_SHA : SSL_NOT_EXP > SSL3_ECDHE_RSA_WITH_NULL_SHA : SSL_NOT_EXP > SSL3_ECDH_anon_WITH_NULL_SHA : SSL_NOT_EXP > TLS1_RSA_NULL_MD5 : SSL_NOT_EXP > TLS1_RSA_NULL_SHA : SSL_NOT_EXP > TLS1_RSA_RC4_40_MD5 : SSL_EXPORT > TLS1_RSA_RC2_40_MD5 : SSL_EXPORT > TLS1_RSA_DES_40_CBC_SHA : SSL_EXPORT > TLS1_DH_DSS_DES_40_CBC_SHA : SSL_EXPORT > TLS1_DH_RSA_DES_40_CBC_SHA : SSL_EXPORT > TLS1_EDH_DSS_DES_40_CBC_SHA : SSL_EXPORT > TLS1_EDH_RSA_DES_40_CBC_SHA : SSL_EXPORT > TLS1_ADH_RC4_40_MD5 : SSL_EXPORT > TLS1_ADH_DES_40_CBC_SHA : SSL_EXPORT > TLS1_FZA_DMS_NULL_SHA : SSL_NOT_EXP > TLS1_FZA_DMS_FZA_SHA : SSL_NOT_EXP > TLS1_FZA_DMS_RC4_SHA : SSL_NOT_EXP > TLS1_KRB5_DES_40_CBC_SHA : SSL_EXPORT > TLS1_KRB5_RC2_40_CBC_SHA : SSL_EXPORT > TLS1_KRB5_RC4_40_SHA : SSL_EXPORT > TLS1_KRB5_DES_40_CBC_MD5 : SSL_EXPORT > TLS1_KRB5_RC2_40_CBC_MD5 : SSL_EXPORT > TLS1_KRB5_RC4_40_MD5 : SSL_EXPORT > TLS1_RSA_EXPORT1024_WITH_RC4_56_MD5 : SSL_EXPORT > TLS1_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 : SSL_EXPORT > TLS1_RSA_EXPORT1024_WITH_DES_CBC_SHA : SSL_EXPORT > TLS1_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA : SSL_EXPORT > TLS1_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA : SSL_EXPORT > TLS1_RSA_WITH_SEED_SHA : SSL_NOT_EXP > TLS1_DH_DSS_WITH_SEED_SHA : SSL_NOT_EXP > TLS1_DH_RSA_WITH_SEED_SHA : SSL_NOT_EXP > TLS1_DHE_DSS_WITH_SEED_SHA : SSL_NOT_EXP > TLS1_DHE_RSA_WITH_SEED_SHA : SSL_NOT_EXP > TLS1_ADH_WITH_SEED_SHA : SSL_NOT_EXP > TLS1_ECDH_ECDSA_WITH_NULL_SHA : SSL_NOT_EXP > TLS1_ECDHE_ECDSA_WITH_NULL_SHA : SSL_NOT_EXP > TLS1_ECDH_RSA_WITH_NULL_SHA : SSL_NOT_EXP > TLS1_ECDHE_RSA_WITH_NULL_SHA : SSL_NOT_EXP > TLS1_ECDH_anon_WITH_NULL_SHA : SSL_NOT_EXP > > > but My SSL Config is : > > ssl_protocols SSLv3 TLSv1; > ssl_ciphers HIGH:!ADH:!MD5; > ssl_prefer_server_ciphers on; > > and a SSLSCAN test give : > > Supported Server Cipher(s): > Failed SSLv2 168 bits DES-CBC3-MD5 > Failed SSLv2 128 bits IDEA-CBC-MD5 > Failed SSLv2 128 bits RC2-CBC-MD5 > Failed SSLv2 128 bits RC4-MD5 > Failed SSLv2 56 bits DES-CBC-MD5 > Failed SSLv2 40 bits EXP-RC2-CBC-MD5 > Failed SSLv2 40 bits EXP-RC4-MD5 > Accepted SSLv3 256 bits ECDHE-RSA-AES256-SHA > Rejected SSLv3 256 bits ECDHE-ECDSA-AES256-SHA > Accepted SSLv3 256 bits DHE-RSA-AES256-SHA > Rejected SSLv3 256 bits DHE-DSS-AES256-SHA > Accepted SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA > Rejected SSLv3 256 bits DHE-DSS-CAMELLIA256-SHA > Accepted SSLv3 256 bits AECDH-AES256-SHA > Rejected SSLv3 256 bits ADH-AES256-SHA > Rejected SSLv3 256 bits ADH-CAMELLIA256-SHA > Rejected SSLv3 256 bits ECDH-RSA-AES256-SHA > Rejected SSLv3 256 bits ECDH-ECDSA-AES256-SHA > Accepted SSLv3 256 bits AES256-SHA > Accepted SSLv3 256 bits CAMELLIA256-SHA > Failed SSLv3 256 bits PSK-AES256-CBC-SHA > Accepted SSLv3 168 bits ECDHE-RSA-DES-CBC3-SHA > Rejected SSLv3 168 bits ECDHE-ECDSA-DES-CBC3-SHA > Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA > Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA > Accepted SSLv3 168 bits AECDH-DES-CBC3-SHA > Rejected SSLv3 168 bits ADH-DES-CBC3-SHA > Rejected SSLv3 168 bits ECDH-RSA-DES-CBC3-SHA > Rejected SSLv3 168 bits ECDH-ECDSA-DES-CBC3-SHA > Accepted SSLv3 168 bits DES-CBC3-SHA > Failed SSLv3 168 bits PSK-3DES-EDE-CBC-SHA > Accepted SSLv3 128 bits ECDHE-RSA-AES128-SHA > Rejected SSLv3 128 bits ECDHE-ECDSA-AES128-SHA > Accepted SSLv3 128 bits DHE-RSA-AES128-SHA > Rejected SSLv3 128 bits DHE-DSS-AES128-SHA > Rejected SSLv3 128 bits DHE-RSA-SEED-SHA > Rejected SSLv3 128 bits DHE-DSS-SEED-SHA > Accepted SSLv3 128 bits DHE-RSA-CAMELLIA128-SHA > Rejected SSLv3 128 bits DHE-DSS-CAMELLIA128-SHA > Accepted SSLv3 128 bits AECDH-AES128-SHA > Rejected SSLv3 128 bits ADH-AES128-SHA > Rejected SSLv3 128 bits ADH-SEED-SHA > Rejected SSLv3 128 bits ADH-CAMELLIA128-SHA > Rejected SSLv3 128 bits ECDH-RSA-AES128-SHA > Rejected SSLv3 128 bits ECDH-ECDSA-AES128-SHA > Accepted SSLv3 128 bits AES128-SHA > Rejected SSLv3 128 bits SEED-SHA > Accepted SSLv3 128 bits CAMELLIA128-SHA > Rejected SSLv3 128 bits IDEA-CBC-SHA > Failed SSLv3 128 bits PSK-AES128-CBC-SHA > Rejected SSLv3 128 bits ECDHE-RSA-RC4-SHA > Rejected SSLv3 128 bits ECDHE-ECDSA-RC4-SHA > Rejected SSLv3 128 bits AECDH-RC4-SHA > Rejected SSLv3 128 bits ADH-RC4-MD5 > Rejected SSLv3 128 bits ECDH-RSA-RC4-SHA > Rejected SSLv3 128 bits ECDH-ECDSA-RC4-SHA > Rejected SSLv3 128 bits RC4-SHA > Rejected SSLv3 128 bits RC4-MD5 > Failed SSLv3 128 bits PSK-RC4-SHA > Rejected SSLv3 56 bits EDH-RSA-DES-CBC-SHA > Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA > Rejected SSLv3 56 bits ADH-DES-CBC-SHA > Rejected SSLv3 56 bits DES-CBC-SHA > Rejected SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA > Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA > Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA > Rejected SSLv3 40 bits EXP-DES-CBC-SHA > Rejected SSLv3 40 bits EXP-RC2-CBC-MD5 > Rejected SSLv3 40 bits EXP-ADH-RC4-MD5 > Rejected SSLv3 40 bits EXP-RC4-MD5 > Rejected SSLv3 0 bits ECDHE-RSA-NULL-SHA > Rejected SSLv3 0 bits ECDHE-ECDSA-NULL-SHA > Rejected SSLv3 0 bits AECDH-NULL-SHA > Rejected SSLv3 0 bits ECDH-RSA-NULL-SHA > Rejected SSLv3 0 bits ECDH-ECDSA-NULL-SHA > Rejected SSLv3 0 bits NULL-SHA > Rejected SSLv3 0 bits NULL-MD5 > Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA > Rejected TLSv1 256 bits ECDHE-ECDSA-AES256-SHA > Accepted TLSv1 256 bits DHE-RSA-AES256-SHA > Rejected TLSv1 256 bits DHE-DSS-AES256-SHA > Accepted TLSv1 256 bits DHE-RSA-CAMELLIA256-SHA > Rejected TLSv1 256 bits DHE-DSS-CAMELLIA256-SHA > Accepted TLSv1 256 bits AECDH-AES256-SHA > Rejected TLSv1 256 bits ADH-AES256-SHA > Rejected TLSv1 256 bits ADH-CAMELLIA256-SHA > Rejected TLSv1 256 bits ECDH-RSA-AES256-SHA > Rejected TLSv1 256 bits ECDH-ECDSA-AES256-SHA > Accepted TLSv1 256 bits AES256-SHA > Accepted TLSv1 256 bits CAMELLIA256-SHA > Failed TLSv1 256 bits PSK-AES256-CBC-SHA > Accepted TLSv1 168 bits ECDHE-RSA-DES-CBC3-SHA > Rejected TLSv1 168 bits ECDHE-ECDSA-DES-CBC3-SHA > Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA > Rejected TLSv1 168 bits EDH-DSS-DES-CBC3-SHA > Accepted TLSv1 168 bits AECDH-DES-CBC3-SHA > Rejected TLSv1 168 bits ADH-DES-CBC3-SHA > Rejected TLSv1 168 bits ECDH-RSA-DES-CBC3-SHA > Rejected TLSv1 168 bits ECDH-ECDSA-DES-CBC3-SHA > Accepted TLSv1 168 bits DES-CBC3-SHA > Failed TLSv1 168 bits PSK-3DES-EDE-CBC-SHA > Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA > Rejected TLSv1 128 bits ECDHE-ECDSA-AES128-SHA > Accepted TLSv1 128 bits DHE-RSA-AES128-SHA > Rejected TLSv1 128 bits DHE-DSS-AES128-SHA > Rejected TLSv1 128 bits DHE-RSA-SEED-SHA > Rejected TLSv1 128 bits DHE-DSS-SEED-SHA > Accepted TLSv1 128 bits DHE-RSA-CAMELLIA128-SHA > Rejected TLSv1 128 bits DHE-DSS-CAMELLIA128-SHA > Accepted TLSv1 128 bits AECDH-AES128-SHA > Rejected TLSv1 128 bits ADH-AES128-SHA > Rejected TLSv1 128 bits ADH-SEED-SHA > Rejected TLSv1 128 bits ADH-CAMELLIA128-SHA > Rejected TLSv1 128 bits ECDH-RSA-AES128-SHA > Rejected TLSv1 128 bits ECDH-ECDSA-AES128-SHA > Accepted TLSv1 128 bits AES128-SHA > Rejected TLSv1 128 bits SEED-SHA > Accepted TLSv1 128 bits CAMELLIA128-SHA > Rejected TLSv1 128 bits IDEA-CBC-SHA > Failed TLSv1 128 bits PSK-AES128-CBC-SHA > Rejected TLSv1 128 bits ECDHE-RSA-RC4-SHA > Rejected TLSv1 128 bits ECDHE-ECDSA-RC4-SHA > Rejected TLSv1 128 bits AECDH-RC4-SHA > Rejected TLSv1 128 bits ADH-RC4-MD5 > Rejected TLSv1 128 bits ECDH-RSA-RC4-SHA > Rejected TLSv1 128 bits ECDH-ECDSA-RC4-SHA > Rejected TLSv1 128 bits RC4-SHA > Rejected TLSv1 128 bits RC4-MD5 > Failed TLSv1 128 bits PSK-RC4-SHA > Rejected TLSv1 56 bits EDH-RSA-DES-CBC-SHA > Rejected TLSv1 56 bits EDH-DSS-DES-CBC-SHA > Rejected TLSv1 56 bits ADH-DES-CBC-SHA > Rejected TLSv1 56 bits DES-CBC-SHA > Rejected TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA > Rejected TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA > Rejected TLSv1 40 bits EXP-ADH-DES-CBC-SHA > Rejected TLSv1 40 bits EXP-DES-CBC-SHA > Rejected TLSv1 40 bits EXP-RC2-CBC-MD5 > Rejected TLSv1 40 bits EXP-ADH-RC4-MD5 > Rejected TLSv1 40 bits EXP-RC4-MD5 > Rejected TLSv1 0 bits ECDHE-RSA-NULL-SHA > Rejected TLSv1 0 bits ECDHE-ECDSA-NULL-SHA > Rejected TLSv1 0 bits AECDH-NULL-SHA > Rejected TLSv1 0 bits ECDH-RSA-NULL-SHA > Rejected TLSv1 0 bits ECDH-ECDSA-NULL-SHA > Rejected TLSv1 0 bits NULL-SHA > Rejected TLSv1 0 bits NULL-MD5 > > > off-record from the list, i can give you the IP to reproduce it and > investigate the failure. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJQEju6AAoJEFdbOg70fJiadAcH/A5mgXxCUR9UtQmTFmDfg/wH lytnuKxrfz6AdQFy6VzmpOYkOOPYNVNGlTMQA+zCF/eYv9vhFQZ9IIrIX4adpG2y HKMbBZ5cqlxZh3W0zLBO/7IaUUpDbfqZimzfYQk0GyLUI+fjM1FdmBXvSiNKYxD5 5xT9TqzjfXY3+acTCEZxX594l4qkrEAr59yPnYVJSRjH/88V/z6+5qc4MoMbuuWF FbyIEP8wLp9K9Mbchaw2fTJ4s6oenGRqyvrVGJum6OQcowHoIlmg8+sF+j58N6SR 7zJ9LSoN1Hf4Ktl1mfHHcGAE2H+VSVTbB/cx6j56fYgaDNQcCkzQ4M04kkGzsro= =e3fQ -----END PGP SIGNATURE----- _______________________________________________ Openvas-plugins mailing list [email protected] http://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins
