Want this feature implemented, too? Please upvote by clicking Thumbs up!
(Posts as a reply won't be published in this feature request thread. Read Me!)
User story
As a PRTG user, I want a sensor that enumerates all crypto suites under each TLS version.
Details of user story
The sensor should be able to provide information similar to this:
{{{nmap --script ssl-enum-ciphers -p 18443 0.0.0.0 Starting Nmap 7.80 ( https://nmap.org ) at 2022-09-16 07:37 CEST Nmap scan report for 0.0.0.0 Host is up (0.000059s latency).
PORT STATE SERVICE VERSION 18443/tcp open ssl/unknown
| ssl-enum-ciphers: | |||
| TLSv1.1: | |||
| ciphers: | |||
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | |||
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | |||
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | |||
| compressors: | |||
| NULL | |||
| cipher preference: server | |||
| warnings: | |||
| 64-bit block cipher 3DES vulnerable to SWEET32 attack | |||
| Forward Secrecy not supported by any cipher | |||
| TLSv1.2: | |||
| ciphers: | |||
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | |||
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | |||
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | |||
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | |||
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | |||
| compressors: | |||
| NULL | |||
| cipher preference: server | |||
| warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Forward Secrecy not supported by any cipher | _ least strength: C}}} |
Acceptance criteria
- The sensor lists all crypto suites for all enabled TLS versions
- The sensor alerts on old deprecated suites.
Status
Open
