Marked all DES/3DES ciphers as weak, as per CVE-2016-2183, corrected some
erroneous naming in TLS1_2 cipher list, added some missing 3DES ciphers in
TLS1 cipher list.
--
LP
Index: scripts/secpod_ssl_ciphers.inc
===================================================================
--- scripts/secpod_ssl_ciphers.inc (revision 4147)
+++ scripts/secpod_ssl_ciphers.inc (working copy)
@@ -63,38 +63,38 @@
"SSL3_RSA_RC4_128_MD5 : Weak cipher", raw_string(0x00, 0x04),
"SSL3_RSA_RC4_128_SHA : Weak cipher", raw_string(0x00, 0x05),
"SSL3_RSA_RC2_40_MD5 : Weak cipher", raw_string(0x00, 0x06),
- "SSL3_RSA_IDEA_128_SHA : Strong cipher", raw_string(0x00,
0x07),
+ "SSL3_RSA_IDEA_128_SHA : Medium cipher", raw_string(0x00,
0x07),
## 40 bit ciphers can be brute forced
"SSL3_RSA_DES_40_CBC_SHA : Weak cipher", raw_string(0x00,
0x08),
## 64 bit ciphers can be brute forced
"SSL3_RSA_DES_64_CBC_SHA : Weak cipher", raw_string(0x00,
0x09),
- "SSL3_RSA_DES_192_CBC3_SHA : Medium cipher",
raw_string(0x00, 0x0A),
+ "SSL3_RSA_DES_192_CBC3_SHA : Weak cipher", raw_string(0x00,
0x0A),
"SSL3_DH_DSS_DES_40_CBC_SHA : Weak cipher", raw_string(0x00,
0x0B),
"SSL3_DH_DSS_DES_64_CBC_SHA : Weak cipher", raw_string(0x00,
0x0C),
- "SSL3_DH_DSS_DES_192_CBC3_SHA : Medium cipher",
raw_string(0x00, 0x0D),
+ "SSL3_DH_DSS_DES_192_CBC3_SHA : Weak cipher",
raw_string(0x00, 0x0D),
"SSL3_DH_RSA_DES_40_CBC_SHA : Weak cipher", raw_string(0x00,
0x0E),
"SSL3_DH_RSA_DES_64_CBC_SHA : Weak cipher", raw_string(0x00,
0x0F),
- "SSL3_DH_RSA_DES_192_CBC3_SHA : Medium cipher",
raw_string(0x00, 0x10),
+ "SSL3_DH_RSA_DES_192_CBC3_SHA : Weak cipher",
raw_string(0x00, 0x10),
"SSL3_EDH_DSS_DES_40_CBC_SHA : Weak cipher",
raw_string(0x00, 0x11),
"SSL3_EDH_DSS_DES_64_CBC_SHA : Weak cipher",
raw_string(0x00, 0x12),
- "SSL3_EDH_DSS_DES_192_CBC3_SHA : Medium cipher",
raw_string(0x00, 0x13),
+ "SSL3_EDH_DSS_DES_192_CBC3_SHA : Weak cipher",
raw_string(0x00, 0x13),
"SSL3_EDH_RSA_DES_40_CBC_SHA : Weak cipher",
raw_string(0x00, 0x14),
"SSL3_EDH_RSA_DES_64_CBC_SHA : Weak cipher",
raw_string(0x00, 0x15),
- "SSL3_EDH_RSA_DES_192_CBC3_SHA : Medium cipher",
raw_string(0x00, 0x16),
+ "SSL3_EDH_RSA_DES_192_CBC3_SHA : Weak cipher",
raw_string(0x00, 0x16),
"SSL3_ADH_RC4_40_MD5 : Weak cipher", raw_string(0x00, 0x17),
"SSL3_ADH_RC4_128_MD5 : Weak cipher", raw_string(0x00, 0x18),
"SSL3_ADH_DES_40_CBC_SHA : Weak cipher", raw_string(0x00,
0x19),
"SSL3_ADH_DES_64_CBC_SHA : Weak cipher", raw_string(0x00,
0x1A),
- "SSL3_ADH_DES_192_CBC_SHA : Medium cipher", raw_string(0x00,
0x1B),
+ "SSL3_ADH_DES_192_CBC_SHA : Weak cipher", raw_string(0x00,
0x1B),
"SSL3_FZA_DMS_NULL_SHA : No cipher", raw_string(0x00, 0x1C),
"SSL3_FZA_DMS_FZA_SHA : Weak cipher", raw_string(0x00, 0x1D),
"SSL3_FZA_DMS_RC4_SHA : Weak cipher", raw_string(0x00, 0x1E),
"SSL3_KRB5_DES_64_CBC_SHA : Weak cipher", raw_string(0x00,
0x1E),
- "SSL3_KRB5_DES_192_CBC3_SHA : Medium cipher",
raw_string(0x00, 0x1F),
+ "SSL3_KRB5_DES_192_CBC3_SHA : Weak cipher", raw_string(0x00,
0x1F),
"SSL3_KRB5_RC4_128_SHA : Weak cipher", raw_string(0x00,
0x20),
"SSL3_KRB5_IDEA_128_CBC_SHA : Medium cipher",
raw_string(0x00, 0x21),
"SSL3_KRB5_DES_64_CBC_MD5 : Weak cipher", raw_string(0x00,
0x22),
- "SSL3_KRB5_DES_192_CBC3_MD5 : Medium cipher",
raw_string(0x00, 0x23),
+ "SSL3_KRB5_DES_192_CBC3_MD5 : Weak cipher", raw_string(0x00,
0x23),
"SSL3_KRB5_RC4_128_MD5 : Weak cipher", raw_string(0x00,
0x24),
"SSL3_KRB5_IDEA_128_CBC_MD5 : Medium cipher",
raw_string(0x00, 0x25),
"SSL3_KRB5_DES_40_CBC_SHA : Weak cipher", raw_string(0x00,
0x26),
@@ -144,27 +144,27 @@
"SSL3_ADH_WITH_SEED_SHA : Medium cipher", raw_string(0x00,
0x9B),
"SSL3_ECDH_ECDSA_WITH_NULL_SHA : No cipher",
raw_string(0xC0, 0x01),
"SSL3_ECDH_ECDSA_WITH_RC4_128_SHA : Weak cipher",
raw_string(0xC0, 0x02),
- "SSL3_ECDH_ECDSA_WITH_DES_192_CBC3_SHA : Medium cipher",
raw_string(0xC0, 0x03),
+ "SSL3_ECDH_ECDSA_WITH_DES_192_CBC3_SHA : Weak cipher",
raw_string(0xC0, 0x03),
"SSL3_ECDH_ECDSA_WITH_AES_128_CBC_SHA : Medium cipher",
raw_string(0xC0, 0x04),
"SSL3_ECDH_ECDSA_WITH_AES_256_CBC_SHA : Medium cipher",
raw_string(0xC0, 0x05),
"SSL3_ECDHE_ECDSA_WITH_NULL_SHA : No cipher",
raw_string(0xC0, 0x06),
"SSL3_ECDHE_ECDSA_WITH_RC4_128_SHA : Weak cipher",
raw_string(0xC0, 0x07),
- "SSL3_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA : Medium cipher",
raw_string(0xC0, 0x08),
+ "SSL3_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA : Weak cipher",
raw_string(0xC0, 0x08),
"SSL3_ECDHE_ECDSA_WITH_AES_128_CBC_SHA : Medium cipher",
raw_string(0xC0, 0x09),
"SSL3_ECDHE_ECDSA_WITH_AES_256_CBC_SHA : Medium cipher",
raw_string(0xC0, 0x0A),
"SSL3_ECDH_RSA_WITH_NULL_SHA : No cipher", raw_string(0xC0,
0x0B),
"SSL3_ECDH_RSA_WITH_RC4_128_SHA : Weak cipher",
raw_string(0xC0, 0x0C),
- "SSL3_ECDH_RSA_WITH_DES_192_CBC3_SHA : Medium cipher",
raw_string(0xC0, 0x0D),
+ "SSL3_ECDH_RSA_WITH_DES_192_CBC3_SHA : Weak cipher",
raw_string(0xC0, 0x0D),
"SSL3_ECDH_RSA_WITH_AES_128_CBC_SHA : Medium cipher",
raw_string(0xC0, 0x0E),
"SSL3_ECDH_RSA_WITH_AES_256_CBC_SHA : Medium cipher",
raw_string(0xC0, 0x0F),
"SSL3_ECDHE_RSA_WITH_NULL_SHA : No cipher", raw_string(0xC0,
0x10),
"SSL3_ECDHE_RSA_WITH_RC4_128_SHA : Weak cipher",
raw_string(0xC0, 0x11),
- "SSL3_ECDHE_RSA_WITH_DES_192_CBC3_SHA : Medium cipher",
raw_string(0xC0, 0x12),
+ "SSL3_ECDHE_RSA_WITH_DES_192_CBC3_SHA : Weak cipher",
raw_string(0xC0, 0x12),
"SSL3_ECDHE_RSA_WITH_AES_128_CBC_SHA : Medium cipher",
raw_string(0xC0, 0x13),
"SSL3_ECDHE_RSA_WITH_AES_256_CBC_SHA : Medium cipher",
raw_string(0xC0, 0x14),
"SSL3_ECDH_anon_WITH_NULL_SHA : No cipher", raw_string(0xC0,
0x15),
"SSL3_ECDH_anon_WITH_RC4_128_SHA : Weak cipher",
raw_string(0xC0, 0x16),
- "SSL3_ECDH_anon_WITH_DES_192_CBC3_SHA : Medium cipher",
raw_string(0xC0, 0x17),
+ "SSL3_ECDH_anon_WITH_DES_192_CBC3_SHA : Weak cipher",
raw_string(0xC0, 0x17),
"SSL3_ECDH_anon_WITH_AES_128_CBC_SHA : Medium cipher",
raw_string(0xC0, 0x18),
"SSL3_ECDH_anon_WITH_AES_256_CBC_SHA : Medium cipher",
raw_string(0xC0, 0x19)
);
@@ -181,33 +181,33 @@
"TLS1_RSA_IDEA_128_SHA : Medium cipher",
raw_string(0x00, 0x07),
"TLS1_RSA_DES_40_CBC_SHA : Weak cipher",
raw_string(0x00, 0x08),
"TLS1_RSA_DES_64_CBC_SHA : Weak cipher",
raw_string(0x00, 0x09),
- "TLS1_RSA_DES_192_CBC3_SHA : Medium cipher",
raw_string(0x00, 0x0A),
+ "TLS1_RSA_DES_192_CBC3_SHA : Weak cipher",
raw_string(0x00, 0x0A),
"TLS1_DH_DSS_DES_40_CBC_SHA : Weak cipher",
raw_string(0x00, 0x0B),
"TLS1_DH_DSS_DES_64_CBC_SHA : Weak cipher",
raw_string(0x00, 0x0C),
- "TLS1_DH_DSS_DES_192_CBC3_SHA : Medium cipher",
raw_string(0x00, 0x0D),
+ "TLS1_DH_DSS_DES_192_CBC3_SHA : Weak cipher",
raw_string(0x00, 0x0D),
"TLS1_DH_RSA_DES_40_CBC_SHA : Weak cipher",
raw_string(0x00, 0x0E),
"TLS1_DH_RSA_DES_64_CBC_SHA : Weak cipher",
raw_string(0x00, 0x0F),
- "TLS1_DH_RSA_DES_192_CBC3_SHA : Medium cipher",
raw_string(0x00, 0x10),
+ "TLS1_DH_RSA_DES_192_CBC3_SHA : Weak cipher",
raw_string(0x00, 0x10),
"TLS1_EDH_DSS_DES_40_CBC_SHA : Weak cipher",
raw_string(0x00, 0x11),
"TLS1_EDH_DSS_DES_64_CBC_SHA : Weak cipher",
raw_string(0x00, 0x12),
- "TLS1_EDH_DSS_DES_192_CBC3_SHA : Medium cipher",
raw_string(0x00, 0x13),
+ "TLS1_EDH_DSS_DES_192_CBC3_SHA : Weak cipher",
raw_string(0x00, 0x13),
"TLS1_EDH_RSA_DES_40_CBC_SHA : Weak cipher",
raw_string(0x00, 0x14),
"TLS1_EDH_RSA_DES_64_CBC_SHA : Weak cipher",
raw_string(0x00, 0x15),
- "TLS1_EDH_RSA_DES_192_CBC3_SHA : Medium cipher",
raw_string(0x00, 0x16),
+ "TLS1_EDH_RSA_DES_192_CBC3_SHA : Weak cipher",
raw_string(0x00, 0x16),
"TLS1_ADH_RC4_40_MD5 : Weak cipher", raw_string(0x00,
0x17),
"TLS1_ADH_RC4_128_MD5 : Weak cipher", raw_string(0x00,
0x18),
"TLS1_ADH_DES_40_CBC_SHA : Weak cipher",
raw_string(0x00, 0x19),
"TLS1_ADH_DES_64_CBC_SHA : Weak cipher",
raw_string(0x00, 0x1A),
- "TLS1_ADH_DES_192_CBC_SHA : Medium cipher",
raw_string(0x00, 0x1B),
+ "TLS1_ADH_DES_192_CBC_SHA : Weak cipher",
raw_string(0x00, 0x1B),
"TLS1_FZA_DMS_NULL_SHA : No cipher", raw_string(0x00,
0x1C),
"TLS1_FZA_DMS_FZA_SHA : Weak cipher", raw_string(0x00,
0x1D),
"TLS1_FZA_DMS_RC4_SHA : Weak cipher", raw_string(0x00,
0x1E),
"TLS1_KRB5_DES_64_CBC_SHA : Weak cipher",
raw_string(0x00, 0x1E),
- "TLS1_KRB5_DES_192_CBC3_SHA : Medium cipher",
raw_string(0x00, 0x1F),
+ "TLS1_KRB5_DES_192_CBC3_SHA : Weak cipher",
raw_string(0x00, 0x1F),
"TLS1_KRB5_RC4_128_SHA : Weak cipher", raw_string(0x00,
0x20),
"TLS1_KRB5_IDEA_128_CBC_SHA : Medium cipher",
raw_string(0x00, 0x21),
"TLS1_KRB5_DES_64_CBC_MD5 : Weak cipher",
raw_string(0x00, 0x22),
- "TLS1_KRB5_DES_192_CBC3_MD5 : Medium cipher",
raw_string(0x00, 0x23),
+ "TLS1_KRB5_DES_192_CBC3_MD5 : Weak cipher",
raw_string(0x00, 0x23),
"TLS1_KRB5_RC4_128_MD5 : Weak cipher", raw_string(0x00,
0x24),
"TLS1_KRB5_IDEA_128_CBC_MD5 : Medium cipher",
raw_string(0x00, 0x25),
"TLS1_KRB5_DES_40_CBC_SHA : Weak cipher",
raw_string(0x00, 0x26),
@@ -255,29 +255,34 @@
"TLS1_ADH_WITH_SEED_SHA : Medium cipher",
raw_string(0x00, 0x9B),
"TLS1_ECDH_ECDSA_WITH_NULL_SHA : No cipher",
raw_string(0xC0, 0x01),
"TLS1_ECDH_ECDSA_WITH_RC4_128_SHA : Weak cipher",
raw_string(0xC0, 0x02),
- "TLS1_ECDH_ECDSA_WITH_DES_192_CBC3_SHA : Medium cipher",
raw_string(0xC0, 0x03),
+ "TLS1_ECDH_ECDSA_WITH_DES_192_CBC3_SHA : Weak cipher",
raw_string(0xC0, 0x03),
"TLS1_ECDH_ECDSA_WITH_AES_128_CBC_SHA : Medium cipher",
raw_string(0xC0, 0x04),
"TLS1_ECDH_ECDSA_WITH_AES_256_CBC_SHA : Medium cipher",
raw_string(0xC0, 0x05),
"TLS1_ECDHE_ECDSA_WITH_NULL_SHA : No cipher",
raw_string(0xC0, 0x06),
"TLS1_ECDHE_ECDSA_WITH_RC4_128_SHA : Weak cipher",
raw_string(0xC0, 0x07),
- "TLS1_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA : Medium
cipher", raw_string(0xC0, 0x08),
+ "TLS1_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA : Weak cipher",
raw_string(0xC0, 0x08),
"TLS1_ECDHE_ECDSA_WITH_AES_128_CBC_SHA : Medium cipher",
raw_string(0xC0, 0x09),
"TLS1_ECDHE_ECDSA_WITH_AES_256_CBC_SHA : Medium cipher",
raw_string(0xC0, 0x0A),
"TLS1_ECDH_RSA_WITH_NULL_SHA : No cipher",
raw_string(0xC0, 0x0B),
"TLS1_ECDH_RSA_WITH_RC4_128_SHA : Weak cipher",
raw_string(0xC0, 0x0C),
- "TLS1_ECDH_RSA_WITH_DES_192_CBC3_SHA : Medium cipher",
raw_string(0xC0, 0x0D),
+ "TLS1_ECDH_RSA_WITH_DES_192_CBC3_SHA : Weak cipher",
raw_string(0xC0, 0x0D),
"TLS1_ECDH_RSA_WITH_AES_128_CBC_SHA : Medium cipher",
raw_string(0xC0, 0x0E),
"TLS1_ECDH_RSA_WITH_AES_256_CBC_SHA : Medium cipher",
raw_string(0xC0, 0x0F),
"TLS1_ECDHE_RSA_WITH_NULL_SHA : No cipher",
raw_string(0xC0, 0x10),
"TLS1_ECDHE_RSA_WITH_RC4_128_SHA : Weak cipher",
raw_string(0xC0, 0x11),
- "TLS1_ECDHE_RSA_WITH_DES_192_CBC3_SHA : Medium cipher",
raw_string(0xC0, 0x12),
+ "TLS1_ECDHE_RSA_WITH_DES_192_CBC3_SHA : Weak cipher",
raw_string(0xC0, 0x12),
"TLS1_ECDHE_RSA_WITH_AES_128_CBC_SHA : Medium cipher",
raw_string(0xC0, 0x13),
"TLS1_ECDHE_RSA_WITH_AES_256_CBC_SHA : Medium cipher",
raw_string(0xC0, 0x14),
"TLS1_ECDH_anon_WITH_NULL_SHA : No cipher",
raw_string(0xC0, 0x15),
"TLS1_ECDH_anon_WITH_RC4_128_SHA : Weak cipher",
raw_string(0xC0, 0x16),
- "TLS1_ECDH_anon_WITH_DES_192_CBC3_SHA : Medium cipher",
raw_string(0xC0, 0x17),
+ "TLS1_ECDH_anon_WITH_DES_192_CBC3_SHA : Weak cipher",
raw_string(0xC0, 0x17),
"TLS1_ECDH_anon_WITH_AES_128_CBC_SHA : Medium cipher",
raw_string(0xC0, 0x18),
"TLS1_ECDH_anon_WITH_AES_256_CBC_SHA : Medium cipher",
raw_string(0xC0, 0x19),
+ "TLS1_PSK_WITH_3DES_EDE_CBC_SHA :
Weak cipher", raw_string(0x00, 0x8B),
+ "TLS1_DHE_PSK_WITH_3DES_EDE_CBC_SHA :
Weak cipher", raw_string(0x00, 0x8F),
+ "TLS1_RSA_PSK_WITH_3DES_EDE_CBC_SHA :
Weak cipher", raw_string(0x00, 0x93),
+
+
##https://www.ietf.org/rfc/rfc5289.txt
##TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter
Mode (GCM)
@@ -438,12 +443,12 @@
##AES [AES] in Cipher Block Chaining (CBC) [CBC] mode with an HMAC-based MAC
"TLS_1_2_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : Medium
cipher", raw_string(0xC0, 0x23),
"TLS_1_2_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 : Medium
cipher", raw_string(0xC0, 0x24),
- "TLS1_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 : Medium
cipher", raw_string(0xC0, 0x25),
- "TLS1_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 : Medium
cipher", raw_string(0xC0, 0x26),
+ "TLS_1_2_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 : Medium
cipher", raw_string(0xC0, 0x25),
+ "TLS_1_2_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 : Medium
cipher", raw_string(0xC0, 0x26),
"TLS_1_2_ECDHE_RSA_WITH_AES_128_CBC_SHA256 : Medium
cipher", raw_string(0xC0, 0x27),
"TLS_1_2_ECDHE_RSA_WITH_AES_256_CBC_SHA384 : Medium
cipher", raw_string(0xC0, 0x28),
- "TLS1_ECDH_RSA_WITH_AES_128_CBC_SHA256 : Medium
cipher", raw_string(0xC0, 0x29),
- "TLS1_ECDH_RSA_WITH_AES_256_CBC_SHA384 : Medium
cipher", raw_string(0xC0, 0x2A),
+ "TLS_1_2_ECDH_RSA_WITH_AES_128_CBC_SHA256 : Medium
cipher", raw_string(0xC0, 0x29),
+ "TLS_1_2_ECDH_RSA_WITH_AES_256_CBC_SHA384 : Medium
cipher", raw_string(0xC0, 0x2A),
##Following Supported for TLS 1.2
"TLS_1_2_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 : Medium
cipher", raw_string(0xC0, 0x2B),
@@ -452,8 +457,8 @@
"TLS_1_2_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 : Medium
cipher", raw_string(0xC0, 0x2E),
"TLS_1_2_ECDHE_RSA_WITH_AES_128_GCM_SHA256 : Medium
cipher", raw_string(0xC0, 0x2F),
"TLS_1_2_ECDHE_RSA_WITH_AES_256_GCM_SHA384 : Medium
cipher", raw_string(0xC0, 0x30),
- "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 : Medium
cipher", raw_string(0xC0, 0x31),
- "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 : Medium
cipher", raw_string(0xC0, 0x32));
+ "TLS_1_2_ECDH_RSA_WITH_AES_128_GCM_SHA256 : Medium
cipher", raw_string(0xC0, 0x31),
+ "TLS_1_2_ECDH_RSA_WITH_AES_256_GCM_SHA384 : Medium
cipher", raw_string(0xC0, 0x32));
## This function Constructs and sends ssl request with given
## cipher spec for given ssl version
_______________________________________________
Openvas-plugins mailing list
Openvas-plugins@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins
