Suche
Close this search box.

NMAP – verify which TLS Protocols are allowed

For security reasons you should’t use TLS protocol versions below TLSv1.2

you may verify that with nmap, here’s an example where only TLSv1.2 and TLSv1.3 is active on port 443 for the hostname sslvpn.example.com

nmap –script ssl-enum-ciphers -p  443 sslvpn.example.com

Example Output – TLSv1.2 and TLSv1.3 active –> recommended


map -sV –script ssl-enum-ciphers -p  443 www.c3it.net     
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 15:06 EDT
Nmap scan report for www.c3it.net (81.19.159.38)
Host is up (0.0060s latency).
rDNS record for 81.19.159.38: www38sni.world4you.com
PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http Apache httpd
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) – A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) – A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 4096) – A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 4096) – A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) – A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) – A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) – A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) – A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 4096) – A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 4096) – A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 4096) – A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 4096) – A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) – A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) – A
|       TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 4096) – A
|       TLS_DHE_RSA_WITH_AES_128_CCM (dh 4096) – A
|       TLS_RSA_WITH_AES_128_CCM_8 (rsa 4096) – A
|       TLS_RSA_WITH_AES_128_CCM (rsa 4096) – A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) – A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) – A
|       TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 4096) – A
|       TLS_DHE_RSA_WITH_AES_256_CCM (dh 4096) – A
|       TLS_RSA_WITH_AES_256_CCM_8 (rsa 4096) – A
|       TLS_RSA_WITH_AES_256_CCM (rsa 4096) – A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) – A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) – A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) – A
|       TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 4096) – A
|       TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (ecdh_x25519) – A
|       TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 4096) – A
|       TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (ecdh_x25519) – A
|       TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 4096) – A
|       TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (ecdh_x25519) – A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 4096) – A
|       TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (ecdh_x25519) – A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 4096) – A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 4096) – A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 4096) – A
|       TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 4096) – A
|       TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 4096) – A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 4096) – A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 4096) – A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) – A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) – A
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       Key exchange (ecdh_x25519) of lower strength than certificate key
|   TLSv1.3:
|     ciphers:
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) – A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) – A
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) – A
|       TLS_AKE_WITH_AES_128_CCM_SHA256 (ecdh_x25519) – A
|     cipher preference: server
|_  least strength: A
|_http-server-header: Apache
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.61 seconds

Example Output – TLSv1.1 , TLSv1.2 and TLSv 1.3 active –> not recommended

tarting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 15:26 EDT
Nmap scan report for sslvpn.unknownhostname.com (13.11.23.967)
Host is up (0.0095s latency).

PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1) – A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) – A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) – A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) – A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) – A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp384r1) – A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) – A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) – A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) – A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) – A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp384r1) – A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) – A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp384r1) – A
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) – A
| TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) – A
| TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) – A
| TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (secp384r1) – A
| TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 2048) – A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp384r1) – A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) – A
| TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (secp384r1) – A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) – A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1) – A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) – A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) – A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) – A
| TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) – A
| TLS_RSA_WITH_AES_256_CCM (rsa 2048) – A
| TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) – A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) – A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) – A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) – A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) – A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp384r1) – A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) – A
| TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) – A
| TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) – A
| TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (secp384r1) – A
| TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 2048) – A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp384r1) – A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) – A
| TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (secp384r1) – A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) – A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp384r1) – A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) – A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) – A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) – A
| TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) – A
| TLS_RSA_WITH_AES_128_CCM (rsa 2048) – A
| TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) – A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) – A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) – A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) – A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) – A
| compressors:
| NULL
| cipher preference: server
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_256_GCM_SHA384 (secp384r1) – A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp384r1) – A
| TLS_AKE_WITH_AES_128_GCM_SHA256 (secp384r1) – A
| cipher preference: server
|_ least strength: A

Nmap done: 1 IP address (1 host up) scanned in 18.84 seconds

jfi. kali linux comes preinstalled with many tools