sslscan fails to detect most ciphers
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| sslscan (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Bug Description
The version of sslscan that's been packaged uses the system version of OpenSSL, which has removed support for most of the weak and legacy SSL ciphers. This means that it will fail to detect:
* RC4 ciphers
* Anonymous ciphers
* Null ciphers
* Most weak CBC ciphers
* Weak DHE keys
* Probably others
* SSLv3
* SSLv2
This means that it's giving extremely misleading results, and the impression that the scanned systems are secure, even if they have all the weak ciphers and protocols enabled.
sslscan has had an option for a number of years to be statically compiled against a version of OpenSSL that includes support for all these, allowing it to detect them (with `make static`), so with the current state of OpenSSL in Ubuntu, the statically build version needs to be packaged instead.
If packaging the static build isn't possible (I'm not sure what Ubuntu's policies are on this), then sslscan should be removed from the repository, because it's giving totally false information at the moment.
~Robin
