AnsweredAssumed Answered

How does Qualys determine the server Cipher Suites?

Question asked by Michael Yip on Mar 28, 2018
Latest reply on May 30, 2018 by Michael Yip

Updates

Does Qualys use "nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 <target>" to obtain a list of cipher suites on the target server? The output from this command for cipher suites are different than the output from openssl command. Notice the discrepancies?

...

| ssl-enum-ciphers:
|   TLSv1.1
|     Ciphers (19)
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
|       TLS_RSA_WITH_RC4_128_SHA
|       TLS_RSA_WITH_SEED_CBC_SHA
|     Compressors (1)
|       uncompressed
|   TLSv1.2
|     Ciphers (31)
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
|     Compressors (1)
|_      uncompressed

...

 

 

Original Question

Recently I made changes to openssl on the server to support only TLS 1.1 and 1.2 with explicit protocols. The test did recognize that only these 2 protocols are supported. However the cipher suites Qualys displayed is different that that the server reported here.

 

Here is what the server said it supports.

 

tls1_1: ECDHE-RSA-AES256-SHA

tls1_1: DHE-RSA-AES256-SHA

tls1_1: DHE-RSA-CAMELLIA256-SHA

tls1_1: AES256-SHA

tls1_1: CAMELLIA256-SHA

tls1_1: ECDHE-RSA-AES128-SHA

tls1_1: DHE-RSA-AES128-SHA

tls1_1: DHE-RSA-CAMELLIA128-SHA

tls1_1: AES128-SHA

tls1_1: CAMELLIA128-SHA

 

tls1_2: ECDHE-RSA-AES256-GCM-SHA384

tls1_2: ECDHE-RSA-AES256-SHA384

tls1_2: ECDHE-RSA-AES256-SHA

tls1_2: DHE-RSA-AES256-GCM-SHA384

tls1_2: DHE-RSA-AES256-SHA256

tls1_2: DHE-RSA-AES256-SHA

tls1_2: DHE-RSA-CAMELLIA256-SHA

tls1_2: AES256-GCM-SHA384

tls1_2: AES256-SHA256

tls1_2: AES256-SHA

tls1_2: CAMELLIA256-SHA

tls1_2: ECDHE-RSA-AES128-GCM-SHA256

tls1_2: ECDHE-RSA-AES128-SHA256

tls1_2: ECDHE-RSA-AES128-SHA

tls1_2: DHE-RSA-AES128-GCM-SHA256

tls1_2: DHE-RSA-AES128-SHA256

tls1_2: DHE-RSA-AES128-SHA

tls1_2: DHE-RSA-CAMELLIA128-SHA

tls1_2: AES128-GCM-SHA256

tls1_2: AES128-SHA256

tls1_2: AES128-SHA

tls1_2: CAMELLIA128-SHA

 

Here is what Qualys reported. How is that possible?

<long content truncated>

Outcomes