Nmap Development mailing list archives
Re: ssl-enum-ciphers with just hostname fails
From: Daniel Miller <bonsaiviking () gmail com>
Date: Fri, 24 Oct 2014 21:23:54 -0500
Kent, Would you mind trying the attached patch to see if it works for you? It checks for a fatal unrecognized_name alert and retries after removing the SNI extension entirely. Dan On Fri, Oct 24, 2014 at 4:11 PM, Daniel Miller <bonsaiviking () gmail com> wrote:
Kent, Thanks for noticing the problem. It makes sense that we're not handling this properly: we try to do the server name extension with the best info we have, but don't try to fall back to just IP (no SNI extension) if there's a failure. It would certainly help to have your pcap file, though I'd guess I could replicate it by setting a bogus /etc/hosts entry for a server that supports SNI and scanning with that name. Dan On Fri, Oct 24, 2014 at 4:04 PM, Kent Fritz <kfritz () wolfman devio us> wrote:I was scanning some servers on my network, and found that ssl-enum-ciphers seems to skip TLSv1 and above if you just use the hostname rather than the FQDN or IP address. The first TLS record from the server is a warning about the name, and it appears the code tries to handle it, but it just doesn't work. I have -d output and a pcap I can send off-list if anyone wants to look. Thanks, Kent. _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Attachment:
sni.patch
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- ssl-enum-ciphers with just hostname fails Kent Fritz (Oct 24)
- Re: ssl-enum-ciphers with just hostname fails Daniel Miller (Oct 24)
- Re: ssl-enum-ciphers with just hostname fails Daniel Miller (Oct 24)
- Re: ssl-enum-ciphers with just hostname fails Kent Fritz (Oct 25)
- Re: ssl-enum-ciphers with just hostname fails Daniel Miller (Oct 25)
- Re: ssl-enum-ciphers with just hostname fails Kent Fritz (Oct 26)
- Re: ssl-enum-ciphers with just hostname fails Daniel Miller (Oct 24)
- Re: ssl-enum-ciphers with just hostname fails Daniel Miller (Oct 24)