Potential False Positives with TLS/SSL Test

Scanning / scan configuration
1

I am investigating potential false positives with two OpenVAS vulnerability tests and would appreciate guidance on proper investigation methodology.

Issue Description

I am seeing detections from these two NVTs on a target behind CDN:

  • SSL/TLS: Deprecated TLSv1.0 and TLSv1.1 Protocol Detection

  • SSL/TLS: Report Vulnerable Cipher Suites for HTTPS (specifically SWEET32-vulnerable 3DES ciphers)

Multiple independent verification attempts using different tools and methods have failed to reproduce those findings.

  • Target is behind CDN with modern TLS configuration

  • Other similar targets with “virtually identical” CDN configurations do not show these vulnerabilities.

Are there known scenarios where OpenVAS might detect TLS issues on CDN origin servers rather than the presented CDN edge configuration?

What’s the recommended approach for investigating potential false positives with TLS/SSL tests in CDN environments?

Are there specific QoD settings or scan parameters that might affect the reliability of these detections behind CDNs?

Has anyone encountered similar scenarios with TLS/SSL detection ? Any guidance on investigation methodology or known edge cases would be greatly appreciated.

If not, how could I disable those VT testings?

2

The checks in question are not false positive prone and are reporting what the service itself is reporting back.

When verifying SSL/TLS results with external tools please keep in mind:

  1. the checks are always querying the IP of the target system in question
  2. the port against the results have been reported (e.g. seen people looking at results of port 8443/tcp but testing just against 443/tcp manually)
  3. external tools might be linked against newer OpenSSL versions which might not even support some older vulnerable cipher suites and/or TLS versions anymore and thus are showing false negatives
1 Like
3

That helps, just a feedback on what I found:
Key Insight: OpenVAS scanned completely different CDN edge server IPs than what current DNS resolution returns.
The command: nmap --script ssl-enum-ciphers -p 443 confirm the supported TLS version

Why could not identify first:

  • CDN dynamic routing means you likely tested different edge servers

  • Different service configurations between your domains

  • Geographic differences in edge server assignments

Thanks for the reply

1 Like