Nmap Development mailing list archives
Re: SSL support in Ncat - confusing server parameters and client version issue
From: Kristof Boeynaems <kristof.boeynaems () gmail com>
Date: Sun, 8 Feb 2009 11:25:07 +0100
A bit more information on the second issue: Apparently Ncat uses the SSLv23_client_method() defined in nsock_ssl.c. This method sends a SSLv2 compatible Client Hello, indicating that it understand SSLv2, SSLv3 and TLSv1. However, a pure TLSv1 or SSLv3 server (i.e. a server initiated with the methods TLSv1_server_method() or SSLv3_server_method()) will NOT understand this Client Hello (see http://www.openssl.org/docs/ssl/SSL_CTX_new.html). Additionally, a pure TLSv1 server will also NOT understand SSLv3 Client Hello messages. In other words, to support the widest range of SSL servers available, it seems that Ncat should not only try the SSLv23_client_method(), but also the SSLv3_client_method() and TLSv1_client_method(). Not sure how this can be most efficiently implemented though. Also note that the same nsock_ssl code seems to be called by the Nmap engine for its SSL support, so this might have repercussions for version detection (and possibly the scripting engine) as well. Indeed, a quick version scan on different "openssl s_server" instances (using the commands from the earlier post) shows that also Nmap version detection makes a difference between a pure SSLv3/TLSv1 server and the other cases: - In case of a pure SSLv3/TLSv1 server, Nmap correctly detects that it is a service wrapped in SSL ("ssl/unknown"). - In the other cases though (default/ssl2/no_ssl2), Nmap detects the SSL service, launches a whole battery of SSL probes at the service, but, as it is unable to induce any response, it ultimately falls back to "unknown?", not even indicating that SSL was detected. Of course the "openssl s_server" instances are artificial test cases, as they do not respond in any way, apart from the SSL handshake. Nevertheless, Nmap should (and is) well aware that there is an SSL service listening on that port (because of the SSL handshake), so it should not fallback to "unknown". Not sure why that happens. Cheers, Kristof On Sat, Feb 7, 2009 at 12:06 PM, Kristof Boeynaems <kristof.boeynaems () gmail com> wrote:
------------------------------------------------------------------------------- 2. Ncat as SSL client - Not all versions supported? ------------------------------------------------------------------------------- It seems that Ncat does not support pure TLSv1 or SSLv3 servers. Starting an OpenSSL SSLv3 or TLSv1 server with following commands: openssl s_server -cert /usr/share/doc/libssl-dev/demos/sign/cert.pem -key /usr/share/doc/libssl-dev/demos/sign/key.pem -ssl3 openssl s_server -cert /usr/share/doc/libssl-dev/demos/sign/cert.pem -key /usr/share/doc/libssl-dev/demos/sign/key.pem -tls1 and trying to connect with Ncat as follows: ./ncat --ssl localhost 4433 Ncat immediately quits without any error, while at the openssl side the following error is shown (both in SSLv3 and TLSv1 case): 3026:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:295: It works fine with an OpenSSL server started without specifying the version, or using -no_ssl2 or -ssl2: openssl s_server -cert /usr/share/doc/libssl-dev/demos/sign/cert.pem -key /usr/share/doc/libssl-dev/demos/sign/key.pem openssl s_server -cert /usr/share/doc/libssl-dev/demos/sign/cert.pem -key /usr/share/doc/libssl-dev/demos/sign/key.pem -no_ssl2 openssl s_server -cert /usr/share/doc/libssl-dev/demos/sign/cert.pem -key /usr/share/doc/libssl-dev/demos/sign/key.pem -ssl2 Am I missing something, or does Ncat indeed not support pure TLSv1 and SSLv3 servers? Thank you, Kristof
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 07)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue Brandon Enright (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue David Fifield (Feb 17)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 18)
- Re: SSL support in Ncat - client version issue: what do other apps do? David Fifield (Feb 17)
- Re: SSL support in Ncat - client version issue: what do other apps do? Kristof Boeynaems (Feb 17)
- Re: SSL support in Ncat - client version issue: what do other apps do? David Fifield (Feb 18)
- Re: SSL support in Ncat - confusing server parameters and client version issue Brandon Enright (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 08)
- Re: SSL support in Ncat - confusing server parameters David Fifield (Feb 27)