Re: ssl-enum-ciphers with just hostname fails

[Daniel Miller <bonsaiviking () gmail com>]

Kent,

Would you mind trying the attached patch to see if it works for you?
It checks for a fatal unrecognized_name alert and retries after
removing the SNI extension entirely.

Dan

On Fri, Oct 24, 2014 at 4:11 PM, Daniel Miller <bonsaiviking () gmail com> wrote:
> Kent,
>
> Thanks for noticing the problem. It makes sense that we're not
> handling this properly: we try to do the server name extension with
> the best info we have, but don't try to fall back to just IP (no SNI
> extension) if there's a failure. It would certainly help to have your
> pcap file, though I'd guess I could replicate it by setting a bogus
> /etc/hosts entry for a server that supports SNI and scanning with that
> name.
>
> Dan
>
> On Fri, Oct 24, 2014 at 4:04 PM, Kent Fritz <kfritz () wolfman devio us> wrote:
> > I was scanning some servers on my network, and found that ssl-enum-ciphers
> > seems to skip TLSv1 and above if you just use the hostname rather than
> > the FQDN or IP address.  The first TLS record from the server is a warning
> > about the name, and it appears the code tries to  handle it, but it just
> > doesn't work.
> >
> > I have -d output and a pcap I can send off-list if anyone wants to look.
> >
> > Thanks,
> >
> > Kent.
> >
> > _______________________________________________
> > Sent through the dev mailing list
> > http://nmap.org/mailman/listinfo/dev
> > Archived at http://seclists.org/nmap-dev/

Attachment: sni.patch
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/