False algorithm detection
Brought to you by:
ivwhiting
For some servers, there are reported some algorithms as supported (accepted), but in fact they are not (server only returns a web page with information one should use a stronger cipher.)
For instance, I scanned an IIS SSL server to detect weak ciphers and the sslscan detected ciphers with key length of 40 and 56 bits as accepted. In fact, the SSL server is configured to use ciphers with key length at least of 128 bits.
I guess, there is a need to check the returned page (if there is one) and/or HTTP headers for message stating the client ought to use a stronger cipher. In my case it was 'HTTP Error 403.5 - Forbidden: SSL 128 is required to view this resource.'
Logged In: NO
I can confirm this, seen on IIS 6.0 on Win2k3. Tempting to suggest that Forbidden responses shouldn't count (at least if there are any 200 OK responses with other ciphers).
Cheers Ian,
-- Martin J.