Lucene search
K

SSL/TLS Deprecated Ciphers Unsupported

🗓️ 06 Jan 2020 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 1149 Views

SSL/TLS Deprecated Ciphers Unsupported checks for unsupported deprecated SSL/TLS cipher suites, and it advises upgrading to a non-deprecated cipher suite

Code
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');

if (!defined_func("nasl_level") || nasl_level() < 80900 ) exit(0, "Nessus is older than 8.9");

if (description)
{
  script_id(132675);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/13");

  script_xref(name:"IAVA", value:"0001-A-0635");

  script_name(english:"SSL/TLS Deprecated Ciphers Unsupported");
  script_summary(english:"Checks if the remote host advertises deprecated SSL/TLS cipher suites.");

  script_set_attribute(attribute:"synopsis", value:"The remote host uses deprecated SSL/TLS ciphers which are unsupported");
  script_set_attribute(attribute:"description", value:"The remote host has open SSL/TLS ports which advertise 
deprecated cipher suites. The ciphers contained in these suites are no longer supported by most major ssl libraries
such as OpenSSL, NSS, Mbed TLS, and wolfSSL and, as such, should not be used for secure communication.

Nessus 8.9 and later no longer supports these ciphers.");
  script_set_attribute(attribute:"solution", value:"Upgrade to a cipher suite which does not contain deprecated ciphers.");
  script_set_attribute(attribute:"risk_factor", value:"Critical");

  script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/06");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"unsupported_by_vendor", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"General");

  script_copyright(english:"This script is Copyright (C) 2020-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssl_supported_ciphers.nasl");
  script_exclude_keys("global_settings/disable_test_ssl_based_services");
  exit(0);
}

include('byte_func.inc');
include('lists.inc');
include('ssl_funcs.inc');

if (get_kb_item('global_settings/disable_test_ssl_based_services'))
  exit(1, 'Not testing SSL based services per user config.');

var deprecated_ciphers = [
  'TLS1_RSA_EXPORT_WITH_RC4_40_MD5',
  'TLS1_RSA_EXPORT_WITH_RC2_CBC_40_MD5',
  'TLS1_RSA_EXPORT_WITH_DES40_CBC_SHA',
  'TLS1_RSA_WITH_DES_CBC_SHA',
  'TLS1_DH_DSS_WITH_DES_CBC_SHA',
  'TLS1_DH_DSS_WITH_3DES_EDE_CBC_SHA',
  'TLS1_DH_RSA_WITH_DES_CBC_SHA',
  'TLS1_DH_RSA_WITH_3DES_EDE_CBC_SHA',
  'TLS1_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA',
  'TLS1_DHE_DSS_WITH_DES_CBC_SHA',
  'TLS1_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA',
  'TLS1_DHE_RSA_WITH_DES_CBC_SHA',
  'TLS1_DH_anon_EXPORT_WITH_RC4_40_MD5',
  'TLS1_DH_anon_EXPORT_WITH_DES40_CBC_SHA',
  'TLS1_DH_anon_WITH_DES_CBC_SHA',
  'TLS1_DH_DSS_WITH_AES_128_CBC_SHA',
  'TLS1_DH_RSA_WITH_AES_128_CBC_SHA',
  'TLS1_DH_DSS_WITH_AES_256_CBC_SHA',
  'TLS1_DH_RSA_WITH_AES_256_CBC_SHA',
  'TLS1_DH_DSS_WITH_AES_128_CBC_SHA256',
  'TLS1_DH_RSA_WITH_AES_128_CBC_SHA256',
  'TLS1_DH_DSS_WITH_CAMELLIA_128_CBC_SHA',
  'TLS1_DH_RSA_WITH_CAMELLIA_128_CBC_SHA',
  'TLS1_DH_DSS_WITH_AES_256_CBC_SHA256',
  'TLS1_DH_RSA_WITH_AES_256_CBC_SHA256',
  'TLS1_DH_DSS_WITH_CAMELLIA_256_CBC_SHA',
  'TLS1_DH_RSA_WITH_CAMELLIA_256_CBC_SHA',
  'TLS1_DH_DSS_WITH_SEED_CBC_SHA',
  'TLS1_DH_RSA_WITH_SEED_CBC_SHA',
  'TLS12_DH_RSA_WITH_AES_128_GCM_SHA256',
  'TLS12_DH_RSA_WITH_AES_256_GCM_SHA384',
  'TLS12_DH_DSS_WITH_AES_128_GCM_SHA256',
  'TLS12_DH_DSS_WITH_AES_256_GCM_SHA384',
  'TLS1_ECDH_ECDSA_WITH_RC4_128_SHA',
  'TLS1_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA',
  'TLS1_ECDH_ECDSA_WITH_AES_128_CBC_SHA',
  'TLS1_ECDH_ECDSA_WITH_AES_256_CBC_SHA',
  'TLS1_ECDH_RSA_WITH_RC4_128_SHA',
  'TLS1_ECDH_RSA_WITH_3DES_EDE_CBC_SHA',
  'TLS1_ECDH_RSA_WITH_AES_128_CBC_SHA',
  'TLS1_ECDH_RSA_WITH_AES_256_CBC_SHA',
  'TLS1_ECDH_ECDSA_WITH_AES_128_CBC_SHA256',
  'TLS1_ECDH_ECDSA_WITH_AES_256_CBC_SHA384',
  'TLS1_ECDH_RSA_WITH_AES_128_CBC_SHA256',
  'TLS1_ECDH_RSA_WITH_AES_256_CBC_SHA384',
  'TLS12_ECDH_ECDSA_WITH_AES_128_GCM_SHA256',
  'TLS12_ECDH_ECDSA_WITH_AES_256_GCM_SHA384',
  'TLS12_ECDH_RSA_WITH_AES_128_GCM_SHA256',
  'TLS12_ECDH_RSA_WITH_AES_256_GCM_SHA384'
];

var report_header =
'The remote host has listening SSL/TLS ports which only advertise deprecated cipher suites which are no longer\n' +
'supported in Nessus 8.9 and later. The deprecated ciphers are outlined below:\n\n';

##
# Determine if all given ciphers are present in the deprecated_ciphers list.
#
# @param <ciphers:list> List of ciphers advertised.
# @return TRUE if all ciphers are present, FALSE otherwise.
##
function all_ciphers_in_deprecated_list(ciphers)
{
  if (empty_or_null(ciphers))
    return FALSE;
  local_var cipher;
  foreach cipher(ciphers)
  {
    if (!collib::contains(deprecated_ciphers, cipher)){
      return FALSE;
    }
  }
  return TRUE;
}

##########
## Main ##
##########
var ports_and_deprecated_ciphers = {};

var pp_info, port, kbs, cipher_list;
foreach pp_info(get_tls_dtls_ports(dtls:TRUE, ciphers:TRUE))
{
  port = pp_info["port"];
  kbs = pp_info["ciphers"];

  if(pp_info["proto"] != "tls" && pp_info["proto"] != "dtls")
    continue;

  if (empty_or_null(kbs))
    continue;

  cipher_list = make_list(kbs);
  if(all_ciphers_in_deprecated_list(ciphers:cipher_list))
    ports_and_deprecated_ciphers[port] = cipher_list;
}

if (empty_or_null(keys(ports_and_deprecated_ciphers)))
  audit(AUDIT_HOST_NOT, 'affected');

var report;
foreach port (sort(keys(ports_and_deprecated_ciphers)))
{
  report = report_header;
  report += cipher_report(ports_and_deprecated_ciphers[port]);
  security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

13 Apr 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
1149