Nmap Development mailing list archives
Re: SSL support in Ncat - client version issue: what do other apps do?
From: David Fifield <david () bamsoftware com>
Date: Wed, 18 Feb 2009 12:30:10 -0700
On Wed, Feb 18, 2009 at 08:41:55AM +0100, Kristof Boeynaems wrote:
On Wed, Feb 18, 2009 at 6:37 AM, David Fifield <david () bamsoftware com> wrote:I looked at the source code of some other applications to see how they handle SSL client connections. None that I found use the fallback/retry technique that has been discussed (and implemented at http://seclists.org/nmap-dev/2009/q1/0430.html). Wget only supports one client method at a time, but it provides command-line options to choose which method to use. If you say --secure-protocol=auto, it uses SSLv23_client_method, if you say --secure-protocol=TLSv1, it uses TLSv1_client_method, etc. See src/openssl.c. http://www.gnu.org/software/wget/manual/html_node/HTTPS-_0028SSL_002fTLS_0029-Options.html cURL is the same, only supporting one method at a time but providing options --tlsv1, --sslv2, --sslv3. If none of those are given the SSLv23_client_method method is used. See lib/ssluse.c. socat again only supports one method per connection. It has a method option to choose which one is used: method=SSLv2, method=SSLv23, etc. See xio-openssl.c. http://www.dest-unreach.org/socat/doc/socat.html#GROUP_OPENSSL That seems to be a common solution: provide SSL version selection for use against those servers that require it, and use SSLv23_client_method by default.Thanks for this list, very interesting! Accidentally I bumped into a post where Nessus discusses the exact same problem: http://list.nessus.org/pipermail/nessus-devel/2002-February/msg00002.html. Not sure how they currently implement it, but apparently in 2002, the plan was to try 4 different connections.
I looked at the source of libnessus 2.2.8 (downloaded with "apt-get source libnessus-dev" as the Nessus site wanted me to click through some agreement). I can't find where they try multiple connection. The only file that mentions client methods is libnessus/network.c, and it appears to use the same pattern of allowing one configurable method per connection. I could be reading the code wrong, or maybe that code itself is called multiple times. Here's an online copy of the file: http://nessus-libraries.sourcearchive.com/documentation/2.2.10-3/network_8c-source.html I was looking in the function open_SSL_connection. I looked at OpenVAS but they have migrated everything over to GnuTLS. The Debian changelog suggests that 1.0.10 would have been current at the beginning of 2002. I found an SRPM for 1.0.9, but it contains no mention of OpenSSL at all. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 07)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue Brandon Enright (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue David Fifield (Feb 17)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 18)
- Re: SSL support in Ncat - client version issue: what do other apps do? David Fifield (Feb 17)
- Re: SSL support in Ncat - client version issue: what do other apps do? Kristof Boeynaems (Feb 17)
- Re: SSL support in Ncat - client version issue: what do other apps do? David Fifield (Feb 18)
- Re: SSL support in Ncat - confusing server parameters and client version issue Brandon Enright (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 08)
- Re: SSL support in Ncat - confusing server parameters David Fifield (Feb 27)