Public bug reported:
The version of sslscan that's been packaged uses the system version of
OpenSSL, which has removed support for most of the weak and legacy SSL
ciphers. This means that it will fail to detect:
* RC4 ciphers
* Anonymous ciphers
* Null ciphers
* Most weak CBC ciphers
* Weak DHE keys
* Probably others
* SSLv3
* SSLv2
This means that it's giving extremely misleading results, and the
impression that the scanned systems are secure, even if they have all
the weak ciphers and protocols enabled.
sslscan has had an option for a number of years to be statically
compiled against a version of OpenSSL that includes support for all
these, allowing it to detect them (with `make static`), so with the
current state of OpenSSL in Ubuntu, the statically build version needs
to be packaged instead.
If packaging the static build isn't possible (I'm not sure what Ubuntu's
policies are on this), then sslscan should be removed from the
repository, because it's giving totally false information at the moment.
~Robin
** Affects: sslscan (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1798561
Title:
sslscan fails to detect most ciphers
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sslscan/+bug/1798561/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
