Is there a resolution to nmap ssl-enum-ciphers not returning all TLS 1.2 cipher suites?
Microsoft lists 36 cipher suites available to TLS 1.2 protocol enabled in a vanilla installation of Windows Server 2016 Build 1607:
- excludes 2 cipher suites available only used when an application explicitly requests
- source: https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-10-v1607
Accounting for enabled=false Ciphers and KeyExchangeAlgorithms (registry HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL), and verifying that Cipher Suite Order and Elliptic Curve Order is default (gpedit.msc), the list of enabled cipher suites is reduced to 32.
Why does nmap 7.9.1 return only 10 cipher suites?
nmap --script ssl-enum-ciphers -p3389 TestServerName.domain.tld
results
4 x TLS_DHE_RSA_WITH_AES_*, and
6 x TLS_ECDHE_RSA_WITH_AES_*
The most recent update on nmap.org thread "ssl-enum-ciphers not returning all ciphers" is July 23, 2019: https://seclists.org/nmap-dev/2019/q3/4
Has anyone resolved this issue?
PS There is a difference of TLS version in a single network trace frame (shown below) and I'm not certain if this is part of the issue or unrelated.
I have learned that the the ordered set of Cipher Suites that are Enabled on a Windows device is defined in the value data from the Functions value located in the Registry at:
HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002
This can be populated during creation of the Group Policy Object, or locally using Group Policy Editor (i.e. choosing "Enabled" and editing the list and/or order of cipher suites).
If Functions value is absent, then the ordered set of Enabled cipher suites are default for the Edition and Build of Windows: https://learn.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel
- curl: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate
- MongoDB TLS transport encryption check
- Powershell script to check TLS 1.2 enabled in the browser
- Windows 7 with .NET 4.8 installed and using tls1.2 still getting 'Could not create SSL/TLS secure channel' on certain websites - but not all websites
- How to Test TLSv1 Connection for Python Requests to GoLang TLSv1 HTTPS Server
- Update .NET web service to use TLS 1.2
- DICOM TLS between Orthanc and pynetDicom fails with error ErrorDetails: DicomAssociation - connecting to AET "MY_AET": TLS error: OpenSSL error
- How to fix Stripe Error: Network error [errno 77]: error setting certificate verify locations
- GoLang Mochi MQTT Server with Python Paho MQTT Client TLS Authentication Verification Failed
- How to fix proxyconnect tcp: tls: first record does not look like a TLS handshake
- how is an SSL certificate chain bundle arranged?
- Sudden TLS/SSL RestSharp failure on Win7 comps
- Enable a specific cipher suite for Java 11
- What is the role of https.Agent in Node?
- SQL Server error 31 - "Encryption(ssl/tls) handshake failed", in an AWS Lambda function
- How to test which version of TLS my .NET client is using?
- Spring Boot MongoDB Connectivity Issue
- How to determine incoming TLS version for Azure Storage
- OpenPop library how to use TLS
- How to add TLS to a particular context path in tomcat
- Windows 7 Could not create SSL/TLS secure channel."} System.Net.WebException
- How to change TLS protocol settings in HttpClient in Ballerina
- TLS v1.2 Cipher Suites in .NET 6 / GET Request Timeout
- Command prompt to check TLS version required by a host
- MQ Client -> MQ Server TLS Communication fails with different errorrs AMQ9665E
- Blazor server and ASPNET Identity: going through FW only works when certificate has the same DNS name as the site in the subject alternative name
- Server POST request works with http but not with https ERROR: routines::packet length too long
- Is TLS 1.1 and TLS 1.2 enabled by default for .NET 4.5 and .NET 4.5.1?
- SSL V3 Handhake failure via FTP_TLS()
- Enable and Disable TLS and SSL in IE on windows 10 local machine(not windows server) using powershell