Lucene search
K

SSL / TLS Versions Supported

🗓️ 01 Dec 2011 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 885 Views

SSL / TLS Versions Supported. Checks supported encryption

Code
#TRUSTED 71c27e9d42110b7f4bf7f21f7ff29f2dd9c755a18252df93d05ef82d47d554c39ec74ab2a92f0c9ffc2273d444de40a3218c1fe5785e9ea929d37ca4b32c2c54e9faf39cdfb1e036836993b2cab1d268eaadc24b92309cc8e273f9434911ce28faaaf52633be4071c34774660f83a2cf966fd52d82dd04105c2b6491a95e2630c83e5b829a386278c22f464e1ceaebad7ceb4578c041528b198e0df25bb5738dda67e550eed9f631492387b75ba7fcfc4e3013542442d4dc16347f799fc40302dd84fdbd7b2a0c01eebfe87d7da5a4521b7d0016d339a938a56023d0f6ad8522026cb57e30d157b194dc85129199ae41f458b20005e8627a16a8b8d05f1fa9f6c5f31bfde58ca4b1da421c1cb444c43582dd36269351617c2de46980e3d056a4aa3939fbd492d1e1d185ec615f1b639d07c8984e454d02b512740b9a020977ecef2e3f64dc87276195acfdffef6bb41a0ed7722cc8e053d245ea1231be0bf6dc7a2c79692645dd38021cfc6edf8811bdcd803846cde4bbd06290926fa6ac0018a7be5c64717a21cfdb840d3cd7fa6f9c557ed899d8796c40d7ff85c7bffc01652cc4176e02feb48ff0176dd07977bc558c1b158a92d0b55da5e0d0b559b2a52c40131e2fed61bdbabe512b61ef27495595a2339e3643e0da1807f55f08d23cae15d41f49496670670a2329c2b05135eccdaf5528cd5e3c04da2636b23373fe70
#TRUST-RSA-SHA256 2a5e496292e20ff5fa22ce2a5ddcb8776b3c6dd36b78fe650308df4745b98adb694c3fde8dac64b5c6070547e2f539d24a91248ac5083ee18a9fc7e4c7ef0bf1a116b137d5055a3432a4da7104a87422fe4840f13fbbb4ff8c55ae280d9a7c6d24154b5e66c0dde55a10d9039333083daf3854c3aa7bf75f27f8685f89352ef71a2ae2f003239763cd18f5faf76f7381724d868e9bb8c2e93dc6620e66ac455db6523684c41845708c3a06dde5b0e79f8d697fadc3ce95ca38341085978f958844a9780d91e0e1b66f96c1d606355aafb9ea5b715789b351c3996c174bb681d6a68e69219d4f58130ddc822a32ba04f87701f1398188215edeb4450ed440fe1450bd484b916803d59911fb51a7ff8ba437ac80bff4e76c566e0428c61d708ccd41e3e930232b42229dc10ee112ac476b86fe664c642354c78a33edb9c308641b73dd36a1f22a5b3df60c48d0eb623e02b759f9df41a750b2c452d932ce28d87094e9fb7206fbd31ac550ae71d57cce5b9b34ee306b6f3585c4e261b4e6b283bdc45381b5839ecc7f13d172b44e81a8b0ae9ea5f5b1a6702b1fed9c870acf991072201aa61ce0b374f25c308a27c0d3b22fb4f5389182c6df24b54076f3cab551e164c09b844c04b0d992ad60180b7e694960aef13f25e4e9285dbe78e7f0c38160ecdf7ab0d72d09164d875e3e56ef2b5f535ec37d548ae4b60320c2272ccd09
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(56984);
  script_version("1.36");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/06/16");

  script_name(english:"SSL / TLS Versions Supported");
  script_summary(english:"Checks which SSL / TLS versions are supported.");

  script_set_attribute(attribute:"synopsis", value:
"The remote service encrypts communications.");
  script_set_attribute(attribute:"description", value:
"This plugin detects which SSL and TLS versions are supported by the
remote service for encrypting communications.");
  script_set_attribute(attribute:"solution", value:"n/a");
  script_set_attribute(attribute:"risk_factor", value:"None");

  script_set_attribute(attribute:"plugin_publication_date", value:"2011/12/01");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"General");

  script_copyright(english:"This script is Copyright (C) 2011-2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies(
      "find_service1.nasl",
      "apache_SSL_complain.nasl",
      "acap_starttls.nasl",
      "amqp_starttls.nasl",
      "ftp_starttls.nasl",
      "imap4_starttls.nasl",
      "ldap_starttls.nasl",
      "mssql_starttls.nasl",
      "nntp_starttls.nasl",
      "nut_starttls.nasl",
      "pop3_starttls.nasl",
      "rdp_ssl.nasl",
      "smtp_starttls.nasl",
      "telnet_starttls.nasl",
      "xmpp_starttls.nasl",
      "ircd_starttls.nasl",
      "rsync_starttls.nasl",
      "postgresql_starttls.nasl",
      "vmware_902_starttls.nasl"
    );

  script_exclude_keys("global_settings/disable_test_ssl_based_services", "global_settings/disable_ssl_cipher_neg");
  exit(0);
}

include("byte_func.inc");
include("ftp_func.inc");
include("global_settings.inc");
include("kerberos_func.inc");
include("ldap_func.inc");
include("misc_func.inc");
include("nntp_func.inc");
include("smtp_func.inc");
include("ssl_funcs.inc");
include("telnet2_func.inc");
include("audit.inc");
include("rsync.inc");

global_var openssl_ciphers;

if (get_kb_item("global_settings/disable_test_ssl_based_services"))
  exit(1, "Not testing SSL based services per user config.");

if ( get_kb_item("global_settings/disable_ssl_cipher_neg" ) ) exit(1, "Not negotiating the SSL ciphers, per user config");

openssl_ciphers = make_array(
  "SSLv2", raw_string(
    0x07, 0x00, 0xc0,
    0x05, 0x00, 0x80,
    0x03, 0x00, 0x80,
    0x01, 0x00, 0x80,
    0x06, 0x00, 0x40,
    0x04, 0x00, 0x80,
    0x02, 0x00, 0x80
  ),
  "SSLv23", raw_string(
    0x00, 0x00, 0x89,
    0x00, 0x00, 0x88,
    0x00, 0x00, 0x87,
    0x00, 0x00, 0x84,
    0x00, 0x00, 0x46,
    0x00, 0x00, 0x45,
    0x00, 0x00, 0x44,
    0x00, 0x00, 0x41,
    0x00, 0x00, 0x3a,
    0x00, 0x00, 0x39,
    0x00, 0x00, 0x38,
    0x00, 0x00, 0x35,
    0x00, 0x00, 0x34,
    0x00, 0x00, 0x33,
    0x00, 0x00, 0x32,
    0x00, 0x00, 0x2f,
    0x00, 0x00, 0x1b,
    0x00, 0x00, 0x1a,
    0x00, 0x00, 0x19,
    0x00, 0x00, 0x18,
    0x00, 0x00, 0x17,
    0x00, 0x00, 0x16,
    0x00, 0x00, 0x15,
    0x00, 0x00, 0x14,
    0x00, 0x00, 0x13,
    0x00, 0x00, 0x12,
    0x00, 0x00, 0x11,
    0x00, 0x00, 0x0a,
    0x00, 0x00, 0x09,
    0x00, 0x00, 0x08,
    0x00, 0x00, 0x06,
    0x00, 0x00, 0x05,
    0x00, 0x00, 0x04,
    0x00, 0x00, 0x03,
    0x07, 0x00, 0xc0,
    0x06, 0x00, 0x40,
    0x04, 0x00, 0x80,
    0x03, 0x00, 0x80,
    0x02, 0x00, 0x80,
    0x01, 0x00, 0x80,
    0x00, 0x00, 0xff
  ),
  "SSLv3", raw_string(
    0xc0, 0x14,
    0xc0, 0x0a,
    0x00, 0x39,
    0x00, 0x38,
    0x00, 0x88,
    0x00, 0x87,
    0xc0, 0x0f,
    0xc0, 0x05,
    0x00, 0x35,
    0x00, 0x84,
    0xc0, 0x12,
    0xc0, 0x08,
    0x00, 0x16,
    0x00, 0x13,
    0xc0, 0x0d,
    0xc0, 0x03,
    0x00, 0x0a,
    0xc0, 0x13,
    0xc0, 0x09,
    0x00, 0x33,
    0x00, 0x32,
    0x00, 0x9a,
    0x00, 0x99,
    0x00, 0x45,
    0x00, 0x44,
    0xc0, 0x0e,
    0xc0, 0x04,
    0x00, 0x2f,
    0x00, 0x96,
    0x00, 0x41,
    0x00, 0x07,
    0xc0, 0x11,
    0xc0, 0x07,
    0xc0, 0x0c,
    0xc0, 0x02,
    0x00, 0x05,
    0x00, 0x04,
    0x00, 0x15,
    0x00, 0x12,
    0x00, 0x09,
    0x00, 0x14,
    0x00, 0x11,
    0x00, 0x08,
    0x00, 0x06,
    0x00, 0x03,
    0x00, 0xff
  )
);

function supports_TLS13(port)
{
  local_var data, rec, chello, sock;

  chello = tls13_client_hello();

  sock = open_sock_ssl(port);
  if (!sock) return FALSE;

  send(socket:sock, data:chello);

  data = recv_ssl(socket:sock, hard_timeout:TRUE);
  close(sock);

  # Server hello
  rec = ssl_find(
    blob:data,
    'content_type', SSL3_CONTENT_TYPE_HANDSHAKE,
    'handshake_type', SSL3_HANDSHAKE_TYPE_SERVER_HELLO
  );
  if ( !isnull(rec) )
  {
    # check our server version is 3,3 and our extension supported version is TLS 1.3
    if (rec['handshake_version'] == 0x0303 && rec['extension_supported_versions'][0] == 0x0304)
      return TRUE;
  }

  return FALSE;
}

function supports(encaps, port)
{
  var cipher, cipherspec, helo, i, limit, rec, recs, sock, v2;
  var version, exts, host, version_ciphers, sni;
  var sni_alert = sni = FALSE;

  # Both SSLv2 and SSLv23 clients begin by sending an record in SSLv2
  # format.
  v2 = (encaps == ENCAPS_SSLv2 || encaps == ENCAPS_SSLv23);

  if (encaps == ENCAPS_SSLv2) version = raw_string(0x00, 0x02);
  else if (encaps == ENCAPS_SSLv3) version = raw_string(0x03, 0x00);
  else if (encaps == ENCAPS_TLSv1) version = raw_string(0x03, 0x01);
  else if (encaps == COMPAT_ENCAPS_TLSv11) version = raw_string(0x03, 0x02);
  else if (encaps == COMPAT_ENCAPS_TLSv12) version = raw_string(0x03, 0x03);

  # For most encapsulation types we first try connecting with all
  # ciphers, and then try with a OpenSSL's default set. For SSLv23 we
  # need an extra iteration since trying all ciphers needs to be done
  # in both SSLv3 and TLSv1 upgrade modes to detect all server
  # configurations.
  limit = 2;
  if (encaps == ENCAPS_SSLv23)
    limit += 1;

  for (i = 1; i <= limit; i++)
  {
    # SSLv23 goes through the following phases:
    #
    # 1) SSLv2 upgradeable to SSLv3 with all known ciphers.
    # 2) SSLv2 upgradeable to TLSv1 with all known ciphers.
    # 3) SSLv2 upgradeable to TLSv1 with OpenSSL's default ciphers.
    if (encaps == ENCAPS_SSLv23)
    {
      if (i == 1)
        version = raw_string(0x03, 0x00);
      else
        version = raw_string(0x03, 0x01);
    }

    version_ciphers = get_valid_ciphers_for_encaps(encaps:encaps, ciphers:ciphers);

    if (i != limit)
    {
      # See if the server supports this type of SSL by sending a
      # ClientHello with every possible cipher spec.
      cipherspec = "";
      foreach cipher (sort(keys(version_ciphers)))
      {
        if (
          (encaps == ENCAPS_SSLv2 && "SSL2_" >< cipher) ||
          (
            encaps == ENCAPS_SSLv23 &&
            (
              "SSL2_" >< cipher ||
              (i == 0 && "SSL3_" >< cipher) ||
              (i == 1 && "TLS1_" >< cipher)
            )
          ) ||
          # ciphers for >=SSLv3
          (
            encaps >= ENCAPS_SSLv3 &&
            encaps <= COMPAT_ENCAPS_TLSv12 &&
            strlen(ciphers[cipher]) == 2
          )
        )
        {
          # Normally, we can just add the cipher to the cipherspec,
          # but in SSLv23 we have to zero-extend the SSLv3 and TLSv1
          # ciphers to match the SSLv2 format.
          if (encaps == ENCAPS_SSLv23 && "SSL2_" >!< cipher)
            cipherspec += raw_string(0x00);
          cipherspec += ciphers[cipher];
        }
      }
    }
    else
    {
      # Certain SSL implementations, when sent a ClientHello with a
      # number of ciphers past some threshold, simply close the
      # socket. If we see this, try connecting with the default list
      # that OpenSSL uses.
      if (encaps == ENCAPS_SSLv2)
        cipherspec = openssl_ciphers["SSLv2"];
      else if (encaps == ENCAPS_SSLv23)
        cipherspec = openssl_ciphers["SSLv23"];
      else if (encaps == ENCAPS_SSLv3)
        cipherspec = openssl_ciphers["SSLv3"];
      else
        cipherspec = get_openssl_cipherspec(encaps:encaps);
    }


    # In some SSL implementations, EC-based cipher suites require
    # a supported named curve in ClientHello for it to return a
    # ServerHello, so we will send EC extensions, claiming
    # to support all curves and EC point formats.
    if (encaps >= ENCAPS_TLSv1 && encaps <= COMPAT_ENCAPS_TLSv12)
    {
      exts = tls_ext_ec() + tls_ext_ec_pt_fmt();

      # Add on an SNI extension if it makes sense to
      host = get_host_name();
      if (host != get_host_ip() && host != NULL && !sni_alert)
      {
        sni = TRUE;
        exts += tls_ext_sni(hostname:host);
      }

      if(encaps == COMPAT_ENCAPS_TLSv12)
        exts += tls_ext_sig_algs();
    }
    else exts = NULL;


    # Manually craft a ClientHello.
    rec = client_hello(
      version    : version,
      cipherspec : cipherspec,
      v2hello    : v2,
      extensions: exts
    );
    if (isnull(rec)) return FALSE;

    # Open a connection to the server.
    sock = open_sock_ssl(port);
    if (!sock) return FALSE;

    # Send the ClientHello.
    send(socket:sock, data:rec);

    # Receive target's response.
    recs = recv_ssl_recs(socket: sock, timeout: 20);
    close(sock);

    # Find the ServerHello record.
    if (encaps == ENCAPS_SSLv2)
    {
      rec = ssl_find(
        blob:recs,
        "content_type", SSL2_CONTENT_TYPE_SERVER_HELLO
      );
    }
    else
    {
      rec = ssl_find(
        blob:recs,
        "content_type", SSL3_CONTENT_TYPE_HANDSHAKE,
        "handshake_type", SSL3_HANDSHAKE_TYPE_SERVER_HELLO
      );

      if(sni)
      {
        var alert = ssl_find(blob:recs, "content_type", SSL3_CONTENT_TYPE_ALERT);
        if(!isnull(alert))
        {
          if(alert['level'] == SSL3_ALERT_TYPE_FATAL &&
             alert['description'] == SSL3_ALERT_TYPE_UNRECOGNIZED_NAME)
          {
            # Try again without SNI
            ssl_dbg(lvl: 1, src:SCRIPT_NAME, msg:'Received alert for unrecognized name,' +
              'retrying without SNI.');
            replace_kb_item(name:"SSL/NO_SNI/" + port, value:TRUE);
            sni_alert = TRUE;
            limit += 1;
          }
        }
      }
    }

    # If we didn't find the record we were looking for, then the
    # server doesn't support this encapsulation method.
    if (isnull(rec)) continue;

    # If we're in SSLv2 mode, we'd like an SSLv2 response. If we're in
    # any other mode, success is indicated by an SSLv3/TLSv1 response
    # with a version number matching our ClientHello.
    if (rec["version"] == getword(blob:version, pos:0))
      return TRUE;
  }

  return FALSE;
}

# All parameters in SSL are big-endian.
set_byte_order(BYTE_ORDER_BIG_ENDIAN);

# Get list of ports that use SSL or StartTLS.
ports = get_ssl_ports();
if (isnull(ports) || max_index(ports) == 0)
  exit(0, "The host does not appear to have any SSL-based services.");

encapsulations = make_array(
  "SSLv2", ENCAPS_SSLv2,
#  "SSLv23", ENCAPS_SSLv23, # XXX-MAK: Disabled due to FPs.
  "SSLv3", ENCAPS_SSLv3,
  "TLSv1.0", ENCAPS_TLSv1,
  "TLSv1.1", COMPAT_ENCAPS_TLSv11,
  "TLSv1.2", COMPAT_ENCAPS_TLSv12
  # note TLS 1.3 is handled sperately below
);

# Test every port for which versions of SSL/TLS are supported.
flag = 0;
foreach var port (ports)
{
  if (!get_port_state(port)) continue;

  supports_tls13 = FALSE;
  versions = make_list();

  # first we check TLS 1.3 separately since it is special
  if (supports_TLS13(port:port))
  {
    versions = make_list(versions, "TLSv1.3");
    set_kb_item(name:"SSL/Transport/" + port, value:COMPAT_ENCAPS_TLSv13);
    supports_tls13 = TRUE;
  }

  # then we check each older version of SSL/TLS.
  foreach var encaps (sort(keys(encapsulations)))
  {
    id = encapsulations[encaps];

    if (!supports(port:port, encaps:id)) continue;

    versions = make_list(versions, encaps);

    set_kb_item(name:"SSL/Transport/" + port, value:id);
    replace_kb_item(name:"Transports/TCP/" + port, value:id);
  }

  #We want this KB to reflect the highest supported version - see find_service.nasl
  if(supports_tls13)
    replace_kb_item(name:"Transports/TCP/" + port, value:ENCAPS_TLSv1_3);

  # Combine results from all versions into one report for this port.
  if (max_index(versions) == 0) continue;

  if ( flag == 0 )
  {
	set_kb_item(name:"SSL/Supported", value:TRUE);
	flag = 1;
  }

  report = '\nThis port supports ' + join(versions, sep:"/") + '.\n';
  security_note(port:port, extra:report);
}
if (flag == 0)
{
  if (max_index(ports) > 1)
    plural = "s";
  else
    plural = "";

  exit(0, "No supported TLS versions were detected (port" + plural + ": " + join(ports, sep:", ") + ")");
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

16 Jun 2025 00:00Current
5.4Medium risk
Vulners AI Score5.4
885