When I using SSLSCAN to check the cipher suites of my server, I found that there are three status: Accepted, Rejected and Failed. After that, I tried to disable the ciphers of RC2(40bits). I created a new key "Enabled"=dword:00000000 under
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]. The SSLSCAN showed EXP-RC2-CBC-MD5 (40bits) was "failed" but the rest of RC2 (40bits) ciphers were "Rejected".
So this made me confused: what the difference between failed and rejected? I came across all the information on the google, including SSLSCAN main page, but haven't find a clear answer.
Best Answer
I wondered about the same thing, looked at the source code (“Use the source, Luke!” :), and it simply is the return value of
SSL_connect()from the OpenSSL library. The documentation states that:Accepted(1) means:Rejected(0) means:Failed(<0) means:The latter two can be followed by a
N/A, if https is not available.So I think
sslscanshould contain a--verboseor-voption that callsSSL_get_error()and outputs the actual reason it failed (or was rejected).That would be rather useful. Because right now, it isn’t.
For now, all I can recommend is to manually connect with a more real-world client, force the usage of a certain cipher on said client or on the server, and then have it show you the actual reason.
Unless you want to improve
sslscan’s code, of course. :)