Open superuser5 opened 5 years ago
My server don't support aNULL ciphers and the connection will fail when running "openssl s_client -connect IP:Port -ciphers aNULL"
But a2sv return Vulnerable. So I think It's a bug!
To complement, I checked my server too and openssl s_client -connect IP:Port -cipher aNULL
gives an error in ssl handshake, so it seems to be a bug, while a2sv says it is vulnerable to anonymous cipher.
Also checked with testssl and TestSSLServer and any of the cipher suites admits NULL.
when running scan from kali it says that Vulnerable to anonymous cipher, but log says that connection fail.
[INF] Scan Anonymous Cipher..
Vulnerability CVE CVSS v2 Base Score State
================ ============= ========================== =============== Anonymous Cipher CVE-2007-1858 AV:N/AC:H/Au:N/C:P/I:N/A:N Vulnerable!
CRIME(SPDY) CVE-2012-4929 AV:N/AC:H/Au:N/C:P/I:N/A:N Vulnerable!
HeartBleed CVE-2014-0160 AV:N/AC:L/Au:N/C:P/I:N/A:N Not Vulnerable. CCS Injection CVE-2014-0224 AV:N/AC:M/Au:N/C:P/I:P/A:P Not Vulnerable. SSLv3 POODLE CVE-2014-3566 AV:N/AC:M/Au:N/C:P/I:N/A:N Not Vulnerable. OpenSSL FREAK CVE-2015-0204 AV:N/AC:M/Au:N/C:N/I:P/A:N Not Vulnerable. OpenSSL LOGJAM CVE-2015-4000 AV:N/AC:M/Au:N/C:N/I:P/A:N Not Vulnerable. SSLv2 DROWN CVE-2016-0800 AV:N/AC:M/Au:N/C:P/I:N/A:N Not Vulnerable.