Marked all DES/3DES ciphers as weak, as per CVE-2016-2183, corrected some erroneous naming in TLS1_2 cipher list, added some missing 3DES ciphers in TLS1 cipher list.
-- LP
Index: scripts/secpod_ssl_ciphers.inc =================================================================== --- scripts/secpod_ssl_ciphers.inc (revision 4147) +++ scripts/secpod_ssl_ciphers.inc (working copy) @@ -63,38 +63,38 @@ "SSL3_RSA_RC4_128_MD5 : Weak cipher", raw_string(0x00, 0x04), "SSL3_RSA_RC4_128_SHA : Weak cipher", raw_string(0x00, 0x05), "SSL3_RSA_RC2_40_MD5 : Weak cipher", raw_string(0x00, 0x06), - "SSL3_RSA_IDEA_128_SHA : Strong cipher", raw_string(0x00, 0x07), + "SSL3_RSA_IDEA_128_SHA : Medium cipher", raw_string(0x00, 0x07), ## 40 bit ciphers can be brute forced "SSL3_RSA_DES_40_CBC_SHA : Weak cipher", raw_string(0x00, 0x08), ## 64 bit ciphers can be brute forced "SSL3_RSA_DES_64_CBC_SHA : Weak cipher", raw_string(0x00, 0x09), - "SSL3_RSA_DES_192_CBC3_SHA : Medium cipher", raw_string(0x00, 0x0A), + "SSL3_RSA_DES_192_CBC3_SHA : Weak cipher", raw_string(0x00, 0x0A), "SSL3_DH_DSS_DES_40_CBC_SHA : Weak cipher", raw_string(0x00, 0x0B), "SSL3_DH_DSS_DES_64_CBC_SHA : Weak cipher", raw_string(0x00, 0x0C), - "SSL3_DH_DSS_DES_192_CBC3_SHA : Medium cipher", raw_string(0x00, 0x0D), + "SSL3_DH_DSS_DES_192_CBC3_SHA : Weak cipher", raw_string(0x00, 0x0D), "SSL3_DH_RSA_DES_40_CBC_SHA : Weak cipher", raw_string(0x00, 0x0E), "SSL3_DH_RSA_DES_64_CBC_SHA : Weak cipher", raw_string(0x00, 0x0F), - "SSL3_DH_RSA_DES_192_CBC3_SHA : Medium cipher", raw_string(0x00, 0x10), + "SSL3_DH_RSA_DES_192_CBC3_SHA : Weak cipher", raw_string(0x00, 0x10), "SSL3_EDH_DSS_DES_40_CBC_SHA : Weak cipher", raw_string(0x00, 0x11), "SSL3_EDH_DSS_DES_64_CBC_SHA : Weak cipher", raw_string(0x00, 0x12), - "SSL3_EDH_DSS_DES_192_CBC3_SHA : Medium cipher", raw_string(0x00, 0x13), + "SSL3_EDH_DSS_DES_192_CBC3_SHA : Weak cipher", raw_string(0x00, 0x13), "SSL3_EDH_RSA_DES_40_CBC_SHA : Weak cipher", raw_string(0x00, 0x14), "SSL3_EDH_RSA_DES_64_CBC_SHA : Weak cipher", raw_string(0x00, 0x15), - "SSL3_EDH_RSA_DES_192_CBC3_SHA : Medium cipher", raw_string(0x00, 0x16), + "SSL3_EDH_RSA_DES_192_CBC3_SHA : Weak cipher", raw_string(0x00, 0x16), "SSL3_ADH_RC4_40_MD5 : Weak cipher", raw_string(0x00, 0x17), "SSL3_ADH_RC4_128_MD5 : Weak cipher", raw_string(0x00, 0x18), "SSL3_ADH_DES_40_CBC_SHA : Weak cipher", raw_string(0x00, 0x19), "SSL3_ADH_DES_64_CBC_SHA : Weak cipher", raw_string(0x00, 0x1A), - "SSL3_ADH_DES_192_CBC_SHA : Medium cipher", raw_string(0x00, 0x1B), + "SSL3_ADH_DES_192_CBC_SHA : Weak cipher", raw_string(0x00, 0x1B), "SSL3_FZA_DMS_NULL_SHA : No cipher", raw_string(0x00, 0x1C), "SSL3_FZA_DMS_FZA_SHA : Weak cipher", raw_string(0x00, 0x1D), "SSL3_FZA_DMS_RC4_SHA : Weak cipher", raw_string(0x00, 0x1E), "SSL3_KRB5_DES_64_CBC_SHA : Weak cipher", raw_string(0x00, 0x1E), - "SSL3_KRB5_DES_192_CBC3_SHA : Medium cipher", raw_string(0x00, 0x1F), + "SSL3_KRB5_DES_192_CBC3_SHA : Weak cipher", raw_string(0x00, 0x1F), "SSL3_KRB5_RC4_128_SHA : Weak cipher", raw_string(0x00, 0x20), "SSL3_KRB5_IDEA_128_CBC_SHA : Medium cipher", raw_string(0x00, 0x21), "SSL3_KRB5_DES_64_CBC_MD5 : Weak cipher", raw_string(0x00, 0x22), - "SSL3_KRB5_DES_192_CBC3_MD5 : Medium cipher", raw_string(0x00, 0x23), + "SSL3_KRB5_DES_192_CBC3_MD5 : Weak cipher", raw_string(0x00, 0x23), "SSL3_KRB5_RC4_128_MD5 : Weak cipher", raw_string(0x00, 0x24), "SSL3_KRB5_IDEA_128_CBC_MD5 : Medium cipher", raw_string(0x00, 0x25), "SSL3_KRB5_DES_40_CBC_SHA : Weak cipher", raw_string(0x00, 0x26), @@ -144,27 +144,27 @@ "SSL3_ADH_WITH_SEED_SHA : Medium cipher", raw_string(0x00, 0x9B), "SSL3_ECDH_ECDSA_WITH_NULL_SHA : No cipher", raw_string(0xC0, 0x01), "SSL3_ECDH_ECDSA_WITH_RC4_128_SHA : Weak cipher", raw_string(0xC0, 0x02), - "SSL3_ECDH_ECDSA_WITH_DES_192_CBC3_SHA : Medium cipher", raw_string(0xC0, 0x03), + "SSL3_ECDH_ECDSA_WITH_DES_192_CBC3_SHA : Weak cipher", raw_string(0xC0, 0x03), "SSL3_ECDH_ECDSA_WITH_AES_128_CBC_SHA : Medium cipher", raw_string(0xC0, 0x04), "SSL3_ECDH_ECDSA_WITH_AES_256_CBC_SHA : Medium cipher", raw_string(0xC0, 0x05), "SSL3_ECDHE_ECDSA_WITH_NULL_SHA : No cipher", raw_string(0xC0, 0x06), "SSL3_ECDHE_ECDSA_WITH_RC4_128_SHA : Weak cipher", raw_string(0xC0, 0x07), - "SSL3_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA : Medium cipher", raw_string(0xC0, 0x08), + "SSL3_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA : Weak cipher", raw_string(0xC0, 0x08), "SSL3_ECDHE_ECDSA_WITH_AES_128_CBC_SHA : Medium cipher", raw_string(0xC0, 0x09), "SSL3_ECDHE_ECDSA_WITH_AES_256_CBC_SHA : Medium cipher", raw_string(0xC0, 0x0A), "SSL3_ECDH_RSA_WITH_NULL_SHA : No cipher", raw_string(0xC0, 0x0B), "SSL3_ECDH_RSA_WITH_RC4_128_SHA : Weak cipher", raw_string(0xC0, 0x0C), - "SSL3_ECDH_RSA_WITH_DES_192_CBC3_SHA : Medium cipher", raw_string(0xC0, 0x0D), + "SSL3_ECDH_RSA_WITH_DES_192_CBC3_SHA : Weak cipher", raw_string(0xC0, 0x0D), "SSL3_ECDH_RSA_WITH_AES_128_CBC_SHA : Medium cipher", raw_string(0xC0, 0x0E), "SSL3_ECDH_RSA_WITH_AES_256_CBC_SHA : Medium cipher", raw_string(0xC0, 0x0F), "SSL3_ECDHE_RSA_WITH_NULL_SHA : No cipher", raw_string(0xC0, 0x10), "SSL3_ECDHE_RSA_WITH_RC4_128_SHA : Weak cipher", raw_string(0xC0, 0x11), - "SSL3_ECDHE_RSA_WITH_DES_192_CBC3_SHA : Medium cipher", raw_string(0xC0, 0x12), + "SSL3_ECDHE_RSA_WITH_DES_192_CBC3_SHA : Weak cipher", raw_string(0xC0, 0x12), "SSL3_ECDHE_RSA_WITH_AES_128_CBC_SHA : Medium cipher", raw_string(0xC0, 0x13), "SSL3_ECDHE_RSA_WITH_AES_256_CBC_SHA : Medium cipher", raw_string(0xC0, 0x14), "SSL3_ECDH_anon_WITH_NULL_SHA : No cipher", raw_string(0xC0, 0x15), "SSL3_ECDH_anon_WITH_RC4_128_SHA : Weak cipher", raw_string(0xC0, 0x16), - "SSL3_ECDH_anon_WITH_DES_192_CBC3_SHA : Medium cipher", raw_string(0xC0, 0x17), + "SSL3_ECDH_anon_WITH_DES_192_CBC3_SHA : Weak cipher", raw_string(0xC0, 0x17), "SSL3_ECDH_anon_WITH_AES_128_CBC_SHA : Medium cipher", raw_string(0xC0, 0x18), "SSL3_ECDH_anon_WITH_AES_256_CBC_SHA : Medium cipher", raw_string(0xC0, 0x19) ); @@ -181,33 +181,33 @@ "TLS1_RSA_IDEA_128_SHA : Medium cipher", raw_string(0x00, 0x07), "TLS1_RSA_DES_40_CBC_SHA : Weak cipher", raw_string(0x00, 0x08), "TLS1_RSA_DES_64_CBC_SHA : Weak cipher", raw_string(0x00, 0x09), - "TLS1_RSA_DES_192_CBC3_SHA : Medium cipher", raw_string(0x00, 0x0A), + "TLS1_RSA_DES_192_CBC3_SHA : Weak cipher", raw_string(0x00, 0x0A), "TLS1_DH_DSS_DES_40_CBC_SHA : Weak cipher", raw_string(0x00, 0x0B), "TLS1_DH_DSS_DES_64_CBC_SHA : Weak cipher", raw_string(0x00, 0x0C), - "TLS1_DH_DSS_DES_192_CBC3_SHA : Medium cipher", raw_string(0x00, 0x0D), + "TLS1_DH_DSS_DES_192_CBC3_SHA : Weak cipher", raw_string(0x00, 0x0D), "TLS1_DH_RSA_DES_40_CBC_SHA : Weak cipher", raw_string(0x00, 0x0E), "TLS1_DH_RSA_DES_64_CBC_SHA : Weak cipher", raw_string(0x00, 0x0F), - "TLS1_DH_RSA_DES_192_CBC3_SHA : Medium cipher", raw_string(0x00, 0x10), + "TLS1_DH_RSA_DES_192_CBC3_SHA : Weak cipher", raw_string(0x00, 0x10), "TLS1_EDH_DSS_DES_40_CBC_SHA : Weak cipher", raw_string(0x00, 0x11), "TLS1_EDH_DSS_DES_64_CBC_SHA : Weak cipher", raw_string(0x00, 0x12), - "TLS1_EDH_DSS_DES_192_CBC3_SHA : Medium cipher", raw_string(0x00, 0x13), + "TLS1_EDH_DSS_DES_192_CBC3_SHA : Weak cipher", raw_string(0x00, 0x13), "TLS1_EDH_RSA_DES_40_CBC_SHA : Weak cipher", raw_string(0x00, 0x14), "TLS1_EDH_RSA_DES_64_CBC_SHA : Weak cipher", raw_string(0x00, 0x15), - "TLS1_EDH_RSA_DES_192_CBC3_SHA : Medium cipher", raw_string(0x00, 0x16), + "TLS1_EDH_RSA_DES_192_CBC3_SHA : Weak cipher", raw_string(0x00, 0x16), "TLS1_ADH_RC4_40_MD5 : Weak cipher", raw_string(0x00, 0x17), "TLS1_ADH_RC4_128_MD5 : Weak cipher", raw_string(0x00, 0x18), "TLS1_ADH_DES_40_CBC_SHA : Weak cipher", raw_string(0x00, 0x19), "TLS1_ADH_DES_64_CBC_SHA : Weak cipher", raw_string(0x00, 0x1A), - "TLS1_ADH_DES_192_CBC_SHA : Medium cipher", raw_string(0x00, 0x1B), + "TLS1_ADH_DES_192_CBC_SHA : Weak cipher", raw_string(0x00, 0x1B), "TLS1_FZA_DMS_NULL_SHA : No cipher", raw_string(0x00, 0x1C), "TLS1_FZA_DMS_FZA_SHA : Weak cipher", raw_string(0x00, 0x1D), "TLS1_FZA_DMS_RC4_SHA : Weak cipher", raw_string(0x00, 0x1E), "TLS1_KRB5_DES_64_CBC_SHA : Weak cipher", raw_string(0x00, 0x1E), - "TLS1_KRB5_DES_192_CBC3_SHA : Medium cipher", raw_string(0x00, 0x1F), + "TLS1_KRB5_DES_192_CBC3_SHA : Weak cipher", raw_string(0x00, 0x1F), "TLS1_KRB5_RC4_128_SHA : Weak cipher", raw_string(0x00, 0x20), "TLS1_KRB5_IDEA_128_CBC_SHA : Medium cipher", raw_string(0x00, 0x21), "TLS1_KRB5_DES_64_CBC_MD5 : Weak cipher", raw_string(0x00, 0x22), - "TLS1_KRB5_DES_192_CBC3_MD5 : Medium cipher", raw_string(0x00, 0x23), + "TLS1_KRB5_DES_192_CBC3_MD5 : Weak cipher", raw_string(0x00, 0x23), "TLS1_KRB5_RC4_128_MD5 : Weak cipher", raw_string(0x00, 0x24), "TLS1_KRB5_IDEA_128_CBC_MD5 : Medium cipher", raw_string(0x00, 0x25), "TLS1_KRB5_DES_40_CBC_SHA : Weak cipher", raw_string(0x00, 0x26), @@ -255,29 +255,34 @@ "TLS1_ADH_WITH_SEED_SHA : Medium cipher", raw_string(0x00, 0x9B), "TLS1_ECDH_ECDSA_WITH_NULL_SHA : No cipher", raw_string(0xC0, 0x01), "TLS1_ECDH_ECDSA_WITH_RC4_128_SHA : Weak cipher", raw_string(0xC0, 0x02), - "TLS1_ECDH_ECDSA_WITH_DES_192_CBC3_SHA : Medium cipher", raw_string(0xC0, 0x03), + "TLS1_ECDH_ECDSA_WITH_DES_192_CBC3_SHA : Weak cipher", raw_string(0xC0, 0x03), "TLS1_ECDH_ECDSA_WITH_AES_128_CBC_SHA : Medium cipher", raw_string(0xC0, 0x04), "TLS1_ECDH_ECDSA_WITH_AES_256_CBC_SHA : Medium cipher", raw_string(0xC0, 0x05), "TLS1_ECDHE_ECDSA_WITH_NULL_SHA : No cipher", raw_string(0xC0, 0x06), "TLS1_ECDHE_ECDSA_WITH_RC4_128_SHA : Weak cipher", raw_string(0xC0, 0x07), - "TLS1_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA : Medium cipher", raw_string(0xC0, 0x08), + "TLS1_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA : Weak cipher", raw_string(0xC0, 0x08), "TLS1_ECDHE_ECDSA_WITH_AES_128_CBC_SHA : Medium cipher", raw_string(0xC0, 0x09), "TLS1_ECDHE_ECDSA_WITH_AES_256_CBC_SHA : Medium cipher", raw_string(0xC0, 0x0A), "TLS1_ECDH_RSA_WITH_NULL_SHA : No cipher", raw_string(0xC0, 0x0B), "TLS1_ECDH_RSA_WITH_RC4_128_SHA : Weak cipher", raw_string(0xC0, 0x0C), - "TLS1_ECDH_RSA_WITH_DES_192_CBC3_SHA : Medium cipher", raw_string(0xC0, 0x0D), + "TLS1_ECDH_RSA_WITH_DES_192_CBC3_SHA : Weak cipher", raw_string(0xC0, 0x0D), "TLS1_ECDH_RSA_WITH_AES_128_CBC_SHA : Medium cipher", raw_string(0xC0, 0x0E), "TLS1_ECDH_RSA_WITH_AES_256_CBC_SHA : Medium cipher", raw_string(0xC0, 0x0F), "TLS1_ECDHE_RSA_WITH_NULL_SHA : No cipher", raw_string(0xC0, 0x10), "TLS1_ECDHE_RSA_WITH_RC4_128_SHA : Weak cipher", raw_string(0xC0, 0x11), - "TLS1_ECDHE_RSA_WITH_DES_192_CBC3_SHA : Medium cipher", raw_string(0xC0, 0x12), + "TLS1_ECDHE_RSA_WITH_DES_192_CBC3_SHA : Weak cipher", raw_string(0xC0, 0x12), "TLS1_ECDHE_RSA_WITH_AES_128_CBC_SHA : Medium cipher", raw_string(0xC0, 0x13), "TLS1_ECDHE_RSA_WITH_AES_256_CBC_SHA : Medium cipher", raw_string(0xC0, 0x14), "TLS1_ECDH_anon_WITH_NULL_SHA : No cipher", raw_string(0xC0, 0x15), "TLS1_ECDH_anon_WITH_RC4_128_SHA : Weak cipher", raw_string(0xC0, 0x16), - "TLS1_ECDH_anon_WITH_DES_192_CBC3_SHA : Medium cipher", raw_string(0xC0, 0x17), + "TLS1_ECDH_anon_WITH_DES_192_CBC3_SHA : Weak cipher", raw_string(0xC0, 0x17), "TLS1_ECDH_anon_WITH_AES_128_CBC_SHA : Medium cipher", raw_string(0xC0, 0x18), "TLS1_ECDH_anon_WITH_AES_256_CBC_SHA : Medium cipher", raw_string(0xC0, 0x19), + "TLS1_PSK_WITH_3DES_EDE_CBC_SHA : Weak cipher", raw_string(0x00, 0x8B), + "TLS1_DHE_PSK_WITH_3DES_EDE_CBC_SHA : Weak cipher", raw_string(0x00, 0x8F), + "TLS1_RSA_PSK_WITH_3DES_EDE_CBC_SHA : Weak cipher", raw_string(0x00, 0x93), + + ##https://www.ietf.org/rfc/rfc5289.txt ##TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM) @@ -438,12 +443,12 @@ ##AES [AES] in Cipher Block Chaining (CBC) [CBC] mode with an HMAC-based MAC "TLS_1_2_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : Medium cipher", raw_string(0xC0, 0x23), "TLS_1_2_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 : Medium cipher", raw_string(0xC0, 0x24), - "TLS1_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 : Medium cipher", raw_string(0xC0, 0x25), - "TLS1_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 : Medium cipher", raw_string(0xC0, 0x26), + "TLS_1_2_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 : Medium cipher", raw_string(0xC0, 0x25), + "TLS_1_2_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 : Medium cipher", raw_string(0xC0, 0x26), "TLS_1_2_ECDHE_RSA_WITH_AES_128_CBC_SHA256 : Medium cipher", raw_string(0xC0, 0x27), "TLS_1_2_ECDHE_RSA_WITH_AES_256_CBC_SHA384 : Medium cipher", raw_string(0xC0, 0x28), - "TLS1_ECDH_RSA_WITH_AES_128_CBC_SHA256 : Medium cipher", raw_string(0xC0, 0x29), - "TLS1_ECDH_RSA_WITH_AES_256_CBC_SHA384 : Medium cipher", raw_string(0xC0, 0x2A), + "TLS_1_2_ECDH_RSA_WITH_AES_128_CBC_SHA256 : Medium cipher", raw_string(0xC0, 0x29), + "TLS_1_2_ECDH_RSA_WITH_AES_256_CBC_SHA384 : Medium cipher", raw_string(0xC0, 0x2A), ##Following Supported for TLS 1.2 "TLS_1_2_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 : Medium cipher", raw_string(0xC0, 0x2B), @@ -452,8 +457,8 @@ "TLS_1_2_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 : Medium cipher", raw_string(0xC0, 0x2E), "TLS_1_2_ECDHE_RSA_WITH_AES_128_GCM_SHA256 : Medium cipher", raw_string(0xC0, 0x2F), "TLS_1_2_ECDHE_RSA_WITH_AES_256_GCM_SHA384 : Medium cipher", raw_string(0xC0, 0x30), - "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 : Medium cipher", raw_string(0xC0, 0x31), - "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 : Medium cipher", raw_string(0xC0, 0x32)); + "TLS_1_2_ECDH_RSA_WITH_AES_128_GCM_SHA256 : Medium cipher", raw_string(0xC0, 0x31), + "TLS_1_2_ECDH_RSA_WITH_AES_256_GCM_SHA384 : Medium cipher", raw_string(0xC0, 0x32)); ## This function Constructs and sends ssl request with given ## cipher spec for given ssl version
_______________________________________________ Openvas-plugins mailing list Openvas-plugins@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins