I have a host which is running Microsoft’s default SSTP VPN.
I’m getting vulnerability
SSL/TLS: Report Vulnerable Cipher Suites for HTTPS with oid
It’s telling me cipher
TLS_RSA_WITH_3DES_EDE_CBC_SHA is enabled.`
However, this cipher was disabled by using IIS Crypto and I validated it with a local NMAP scan, which does not return
TLS_RSA_WITH_3DES_EDE_CBC_SHA but the following:
Can someone elaborate a bit more on why this happens? Is the NMAP check invalid or the VT?
I’m bumping this to see if anyone has insight.
You can get the full output which ciphers have been enumerated (which is the base for the VT in question) in the result of the following VT in your report (you need to update your filter to show “Log” level results accordingly):
Name: SSL/TLS: Report Supported Cipher Suites
As i haven’t seen any false reporting of the supported ciphers in all these years (the enumeration should be quite reliable as it looks for a specific hex string the server is choosing in the SSL/TLS handshake) there are two options left:
- The nmap call is done against the 443/tcp port but the result of the mentioned VT is coming from another service (e.g. some third party software on a higher port)
- nmap is internally calling some libraries (like e.g. openssl or some LUA internal libs) which doesn’t support
I would cross check with https://github.com/rbsec/sslscan (make sure to build it with
make static so that the older openssl library is used).
Thanks, I’ll test it and get back to you.