エレコムの法人無線AP「WAB-I1750-PS」のファームウェアは1.5.10(2021/01/20 公開)で運用していたが、ふと確認すると2024/8/6に 2.0.4が出ていた。
何が変わったか、分からんところも多いが少なくとも管理コンソールのhttps周りの設定が現代的というか、ちょっと進化してTLS1.1,TLS1.2が使えるようになっていた。
| 1.5.10i | 2.0.4i | |
| nmap結果 | XXXX@yyyy:~ $ nmap --script ssl-enum-ciphers -p 443 192.168.0.XXX Starting Nmap 7.70 ( https://nmap.org ) at 2024-11-18 21:46 JST Nmap scan report for 192.168.0.XXX Host is up (0.12s latency). PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | SSLv3: | ciphers: | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_DES_CBC_SHA (rsa 1024) - D | TLS_RSA_WITH_IDEA_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_RC4_128_MD5 (rsa 1024) - D | TLS_RSA_WITH_RC4_128_SHA (rsa 1024) - D | TLS_RSA_WITH_SEED_CBC_SHA (rsa 1024) - A | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | 64-bit block cipher DES vulnerable to SWEET32 attack | 64-bit block cipher IDEA vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | CBC-mode cipher in SSLv3 (CVE-2014-3566) | Ciphersuite uses MD5 for message integrity | Weak certificate signature: SHA1 | TLSv1.0: | ciphers: | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_DES_CBC_SHA (rsa 1024) - D | TLS_RSA_WITH_IDEA_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_RC4_128_MD5 (rsa 1024) - D | TLS_RSA_WITH_RC4_128_SHA (rsa 1024) - D | TLS_RSA_WITH_SEED_CBC_SHA (rsa 1024) - A | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | 64-bit block cipher DES vulnerable to SWEET32 attack | 64-bit block cipher IDEA vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | Ciphersuite uses MD5 for message integrity | Weak certificate signature: SHA1 |_ least strength: D Nmap done: 1 IP address (1 host up) scanned in 2.39 seconds | XXXX@yyyy:~ $ nmap --script ssl-enum-ciphers -p 443 192.168.0.XXX Starting Nmap 7.70 ( https://nmap.org ) at 2024-11-18 21:57 JST Nmap scan report for 192.168.0.XXX Host is up (0.0093s latency). PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | SSLv3: | ciphers: | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_IDEA_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_RC4_128_MD5 (rsa 1024) - D | TLS_RSA_WITH_RC4_128_SHA (rsa 1024) - D | TLS_RSA_WITH_SEED_CBC_SHA (rsa 1024) - A | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | 64-bit block cipher IDEA vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | CBC-mode cipher in SSLv3 (CVE-2014-3566) | Ciphersuite uses MD5 for message integrity | Weak certificate signature: SHA1 | TLSv1.0: | ciphers: | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_IDEA_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_RC4_128_MD5 (rsa 1024) - D | TLS_RSA_WITH_RC4_128_SHA (rsa 1024) - D | TLS_RSA_WITH_SEED_CBC_SHA (rsa 1024) - A | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | 64-bit block cipher IDEA vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | Ciphersuite uses MD5 for message integrity | Weak certificate signature: SHA1 | TLSv1.1: | ciphers: | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_IDEA_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_RC4_128_MD5 (rsa 1024) - D | TLS_RSA_WITH_RC4_128_SHA (rsa 1024) - D | TLS_RSA_WITH_SEED_CBC_SHA (rsa 1024) - A | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | 64-bit block cipher IDEA vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | Ciphersuite uses MD5 for message integrity | Weak certificate signature: SHA1 | TLSv1.2: | ciphers: | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 1024) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 1024) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 1024) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_IDEA_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_RC4_128_MD5 (rsa 1024) - D | TLS_RSA_WITH_RC4_128_SHA (rsa 1024) - D | TLS_RSA_WITH_SEED_CBC_SHA (rsa 1024) - A | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | 64-bit block cipher IDEA vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | Ciphersuite uses MD5 for message integrity | Weak certificate signature: SHA1 |_ least strength: D Nmap done: 1 IP address (1 host up) scanned in 2.40 seconds |
0 件のコメント:
コメントを投稿