{"id":1766,"date":"2017-09-13T10:38:50","date_gmt":"2017-09-13T15:38:50","guid":{"rendered":"http:\/\/lisa.rushworth.us\/?p=1766"},"modified":"2017-10-13T10:43:18","modified_gmt":"2017-10-13T15:43:18","slug":"checking-supported-tls-versions-and-ciphers","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=1766","title":{"rendered":"Checking Supported TLS Versions and Ciphers"},"content":{"rendered":"<p>There have been a number of ssl vulnerabilities (and deprecated ciphers that\u00a0<em>should<\/em> be unavailable, especially when transiting particularly sensitive information). On Linux distributions, nmap includes a script that enumerates ssl versions and, per version, the supported ciphers.<\/p>\n<p>[lisa@linuxbox ~]# <strong>nmap -P0 -p 25 &#8211;script +ssl-enum-ciphers myhost.domain.ccTLD<\/strong><\/p>\n<p>Starting Nmap 7.40 ( https:\/\/nmap.org ) at 2017-10-13 11:36 EDT<br \/>\nNmap scan report for myhost.domain.ccTLD (#.#.#.#)<br \/>\nHost is up (0.00012s latency).<br \/>\nOther addresses for localhost (not scanned): ::1<br \/>\nPORT STATE SERVICE<br \/>\n25\/tcp open smtp<br \/>\n| ssl-enum-ciphers:<br \/>\n| TLSv1.0:<br \/>\n| ciphers:<br \/>\n| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) &#8211; A<br \/>\n| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) &#8211; A<br \/>\n| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) &#8211; A<br \/>\n| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) &#8211; A<br \/>\n| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) &#8211; A<br \/>\n| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) &#8211; A<br \/>\n| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) &#8211; A<br \/>\n| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) &#8211; A<br \/>\n| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) &#8211; A<br \/>\n| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) &#8211; A<br \/>\n| compressors:<br \/>\n| NULL<br \/>\n| cipher preference: server<br \/>\n| TLSv1.1:<br \/>\n| ciphers:<br \/>\n| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) &#8211; A<br \/>\n| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) &#8211; A<br \/>\n| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) &#8211; A<br \/>\n| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) &#8211; A<br \/>\n| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) &#8211; A<br \/>\n| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) &#8211; A<br \/>\n| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) &#8211; A<br \/>\n| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) &#8211; A<br \/>\n| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) &#8211; A<br \/>\n| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) &#8211; A<br \/>\n| compressors:<br \/>\n| NULL<br \/>\n| cipher preference: server<br \/>\n| TLSv1.2:<br \/>\n| ciphers:<br \/>\n| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) &#8211; A<br \/>\n| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) &#8211; A<br \/>\n| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (rsa 2048) &#8211; A<br \/>\n| TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) &#8211; A<br \/>\n| TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) &#8211; A<br \/>\n| TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) &#8211; A<br \/>\n| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) &#8211; A<br \/>\n| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) &#8211; A<br \/>\n| TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) &#8211; A<br \/>\n| TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) &#8211; A<br \/>\n| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (rsa 2048) &#8211; A<br \/>\n| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) &#8211; A<br \/>\n| TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (rsa 2048) &#8211; A<br \/>\n| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) &#8211; A<br \/>\n| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) &#8211; A<br \/>\n| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) &#8211; A<br \/>\n| TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) &#8211; A<br \/>\n| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) &#8211; A<br \/>\n| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) &#8211; A<br \/>\n| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) &#8211; A<br \/>\n| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) &#8211; A<br \/>\n| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) &#8211; A<br \/>\n| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) &#8211; A<br \/>\n| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) &#8211; A<br \/>\n| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) &#8211; A<br \/>\n| TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) &#8211; A<br \/>\n| TLS_RSA_WITH_AES_256_CCM (rsa 2048) &#8211; A<br \/>\n| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) &#8211; A<br \/>\n| TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) &#8211; A<br \/>\n| TLS_RSA_WITH_AES_128_CCM (rsa 2048) &#8211; A<br \/>\n| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) &#8211; A<br \/>\n| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) &#8211; A<br \/>\n| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) &#8211; A<br \/>\n| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) &#8211; A<br \/>\n| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) &#8211; A<br \/>\n| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) &#8211; A<br \/>\n| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) &#8211; A<br \/>\n| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) &#8211; A<br \/>\n| compressors:<br \/>\n| NULL<br \/>\n| cipher preference: server<br \/>\n|_ least strength: A<\/p>\n<p>Nmap done: 1 IP address (1 host up) scanned in 144.67 seconds<\/p>\n","protected":false},"excerpt":{"rendered":"<p>There have been a number of ssl vulnerabilities (and deprecated ciphers that\u00a0should be unavailable, especially when transiting particularly sensitive information). On Linux distributions, nmap includes a script that enumerates ssl versions and, per version, the supported ciphers. [lisa@linuxbox ~]# nmap -P0 -p 25 &#8211;script +ssl-enum-ciphers myhost.domain.ccTLD Starting Nmap 7.40 ( https:\/\/nmap.org ) at 2017-10-13 11:36 &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[236,397,396,395],"class_list":["post-1766","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-ssl","tag-ssl-vulnerabilities","tag-system-administration","tag-tls"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/1766","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1766"}],"version-history":[{"count":2,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/1766\/revisions"}],"predecessor-version":[{"id":1768,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/1766\/revisions\/1768"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1766"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1766"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1766"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}