Nmap Development mailing list archives
Re: Proposed SSL version detection probe changes
From: Kristof Boeynaems <kristof.boeynaems () gmail com>
Date: Tue, 17 Feb 2009 22:55:50 +0100
Kristof Boeynaems wrote:
I put together some custom nmap-service-probes file for the purpose of detecting such sslv3-only or tlsv1-only services (which are currently not supported by Nsock), and used it to perform a quick survey on about 1000 HTTPS web servers. I was not able to find a single sslv3-only or tlsv1-only host. Seems that SSL-enabled webservers are (almost) always SSLv2-compatible, which is maybe not so surprising. Nevertheless, that makes me even more curious to that 3% Brandon talked about. Which ports where these services running on?Brandon Enright wrote:I did not do an internet survey myself, but in theory Nmap will have problems with any SSL server that is not backward compatible with SSLv2 (i.e. SSLv3-only or TLSv3-only). A type of SSL server that I would expect to become more prevalent as SSLv2 support is being phased out.-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 16 Feb 2009 23:53:04 -0800 or thereabouts Fyodor <fyodor () insecure org> wrote: ...snip...I agree that we should make sure Nsock can connect to any reasonable SSL servers. Have you found any SSL servers on the Internet for which browsers can connect, but ncat and/or version detection (they use the same SSL connection creation calls) can't?Some versions of Nessus, yes. Not to long ago I did a giant SSL survey of the Internet (many millions of hosts) and found that a small percentage (~3%) could not be connected to with the default SSL23 probe. I had to manually specify one of the SSL versions using openssl s_client.It shouldn't be too difficult to come up with an Nmap-based script that scans a wide range of random SSL servers, and determines what version they are supporting; but it seems that Brandon has already done this before as part of his SSL survey. I would be very interested to see a list of that 3%. Is this something you can share, Brandon?
Thanks, Kristof _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Proposed SSL version detection probe changes Kristof Boeynaems (Feb 08)
- Re: Proposed SSL version detection probe changes doug (Feb 08)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Feb 09)
- Re: Proposed SSL version detection probe changes Brandon Enright (Feb 09)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Feb 10)
- Re: Proposed SSL version detection probe changes Fyodor (Feb 16)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Feb 09)
- Re: Proposed SSL version detection probe changes Fyodor (Feb 16)
- Re: Proposed SSL version detection probe changes Brandon Enright (Feb 17)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Feb 17)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Feb 17)
- Re: Proposed SSL version detection probe changes Brandon Enright (Feb 17)
- Re: Proposed SSL version detection probe changes Brandon Enright (Feb 17)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Feb 18)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Feb 21)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Mar 21)
- Re: Proposed SSL version detection probe changes doug (Feb 08)