SSLScan - Fast SSL Scanner / Bugs / #1 False algorithm detection

#1 False algorithm detection

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2007-12-14

Created: 2007-12-14

Creator: Anonymous

Private: No

For some servers, there are reported some algorithms as supported (accepted), but in fact they are not (server only returns a web page with information one should use a stronger cipher.)

For instance, I scanned an IIS SSL server to detect weak ciphers and the sslscan detected ciphers with key length of 40 and 56 bits as accepted. In fact, the SSL server is configured to use ciphers with key length at least of 128 bits.

I guess, there is a need to check the returned page (if there is one) and/or HTTP headers for message stating the client ought to use a stronger cipher. In my case it was 'HTTP Error 403.5 - Forbidden: SSL 128 is required to view this resource.'

Discussion

Nobody/Anonymous - 2008-05-12

Logged In: NO

I can confirm this, seen on IIS 6.0 on Win2k3. Tempting to suggest that Forbidden responses shouldn't count (at least if there are any 200 OK responses with other ciphers).

Cheers Ian,

-- Martin J.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

False algorithm detection

Group

Searches

Help

#1 False algorithm detection

Discussion