Hi All,
I am using Synapse (SSL/TLS Plugin Architecture) in my project and currently i have enable the possibility to set the cipher list and seems that work fine, i am able to filter using different rules there... the point is the following:
If i run by command line: openssl ciphers -v 'ALL:eNULL'
I see a huge cipher suite supported by openssl
but setting the same using the synapse plugin ('ALL:eNULL'), running my server and checking with nmap the list of ciphers i have available the list is too short.
nmap --script ssl-enum-ciphers -p 6000 127.0.0.1
Starting Nmap 7.01 (
https://nmap.org ) at 2018-01-24 12:21 -03
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00017s latency).
PORT STATE SERVICE
6000/tcp open X11
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - A
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Ciphersuite uses MD5 for message integrity
| Weak cipher RC4 in TLSv1.1 or newer not needed for BEAST mitigation
|_ least strength: C
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
make me believe that there is some setting or limitation over there that i cannot see the full cipher suite supported by openssl.
Any of you have more information about it? I was searching in the web and could not find enough information to understand what is going on.
Any help would be appreciated.
Regards
Sebastian