nmap ssl-enum-ciphers fails to enumerate tls 1.3

[danie-dejager]

Hi,

I installed version 7.80's RPM ( and also from source) on Fedora 30 where I can't get ssl-enum-ciphers to enumerate TLS 1.3 information for a host I know serves TLS 1.3. I only see that the web server serves TLS 1.2 as below:

# nmap -sV --script ssl-enum-ciphers -p 443  <host>
Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-13 14:40 SAST
Nmap scan report for fte1.gs.striata.com (196.38.49.134)
Host is up (0.0087s latency).

PORT    STATE SERVICE VERSION
443/tcp open  ssl/ssl Apache httpd (SSL-only mode)
|_http-server-header: Apache
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp521r1) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp521r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp521r1) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 4096) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 4096) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.94 seconds

Output from Hardenize:

Details from my compiled version using Openssl 1.1.1c which supports TLS 1.3:

# nmap --version
Nmap version 7.80 ( https://nmap.org )
Platform: x86_64-unknown-linux-gnu
Compiled with: nmap-liblua-5.3.5 openssl-1.1.1c nmap-libssh2-1.8.2 libz-1.2.11 libpcre-8.43 nmap-libpcap-1.9.0 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

[nnposter]

Nmap currently does not support TLS 1.3

[dmiller-nmap]

I started updating NSE to TLS 1.3 last year some time, but I haven't had as much time to work on it as I would have liked. That said, it is high on my priority list and I hope to have it finished by the next release (which will not take over a year like Nmap 7.80 did!).

[emanruse]

Two more issues with that script. Compare:

https://www.ssllabs.com/ssltest/analyze.html?d=cloudflare.com

to

nmap --script ssl-enum-ciphers -p 443 www.cloudflare.com

The issues are:

1. The order of the 1.2 ciphers is not server-prefered. (the script says cipher preference: client)
2. Ciphers which SSL Labs lists as weak are reported as 'A' grade by the script.

[moabdira]

@dmiller-nmap - Just checking, if you were able made to any progress last two months or so? Thanks for doing this!

[Towky]

@dmiller-nmap Im looking forward for tls 1.3 support too :)

[xeros]

Now, since TLS 1.2 has been considered as vulnerable, it's getting highly desirable to have TLS 1.3 support.

[emanruse]

Now, since TLS 1.2 has been considered as vulnerable

Link to info source please?

[areis422]

I would also like to see 1.3 support.

[syafiqhadzir]

Now, since TLS 1.2 has been considered as vulnerable, it's getting highly desirable to have TLS 1.3 support.

Has TLS 1.2 already been considered as vulnerable?

[nod0n]

Now, since TLS 1.2 has been considered as vulnerable, it's getting highly desirable to have TLS 1.3 support.

Has TLS 1.2 already been considered as vulnerable?

No, but TLS 1.3 is still the future an is already in use modern systems. A lot Websites don't support TLS 1.3 and more and more websites support TLS 1.2 & 1.3.

[Gregory-N-able]

Now, since TLS 1.2 has been considered as vulnerable, it's getting highly desirable to have TLS 1.3 support.

Has TLS 1.2 already been considered as vulnerable?

TLS 1.2 in and of itself is not considered vulnerable at this time. Certain ciphers available in TLS 1.2 are vulnerable.
https://en.wikipedia.org/wiki/Transport_Layer_Security#Applications_and_adoption

[danie-dejager]

I use nmap to perform part in my audit of systems but because it does not support TLS 1.3 I have to use other software to complete my audits where I could've simplified and use fewer tools.