Nmap Development mailing list archives
Fwd: Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm
From: Tom Sellers <nmap () fadedcode net>
Date: Sat, 25 Oct 2014 06:40:33 -0500
Dan, Could you take a look at the updated patch for this? Having this functionality included would greatly help with some surveys I am doing. Thanks much, Tom Sellers -------- Original Message -------- Subject: Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm Date: Sat, 11 Oct 2014 19:10:20 -0500 From: Tom Sellers <nmap () fadedcode net> To: Nmap-dev <dev () nmap org> On 10/11/2014 6:30 PM, David Fifield wrote:
On Sat, Oct 11, 2014 at 06:24:25PM -0500, Tom Sellers wrote:All, There's been a lot of press recently about Google and Mozilla becoming more aggressive about how they handle x509 certificates that have been signed using SHA-1. To assist with detecting SHA-1 signed certificates I have created and attached a patch that adds the signature algorithm that was used to sign the target's x509 certificate to the output of the 'ssl-cert.nse'. I am not a C coder so the modifications to 'nse_ssl_cert.cc' may need a bit of tweaking. Also, the ordering of elements may need to be adjusted. To reduce user confusion I purposely did not place the Signature Algorithm output near the MD5 and SHA-1 hashes. Those values are 'fingerprints', or for Microsoft products: thumbprints, and are generated by ssl-cert.nse.Cool, what are the possible outputs? You have sha256WithRSAEncryption and ecdsa-with-SHA384; what values should someone auditing for SHA-1 look for? Be sure to update the @output and @xmloutput sections in the documentation.
The standard SHA1 looks like 'sha1WithRSAEncryption'. There doesn't seem to a be a clean and easy to read list of the IDs that OpenSSL uses. I will link a few docs with them at the end of the email. Common ones appear to be: md5WithRSAEncryption sha1WithRSAEncryption sha256WithRSAEncryption I have updated the patch with the @output and @xmloutput changes. Thanks for pointing that out, I'm pretty rusty at this point. Tom Links - https://github.com/openssl/openssl/blob/master/crypto/objects/objects.txt https://github.com/openssl/openssl/blob/master/crypto/objects/objects.h
Attachment:
ssl-cert_sig-algo-20141011.v2.patch
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm Tom Sellers (Oct 11)
- Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm David Fifield (Oct 11)
- Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm Tom Sellers (Oct 11)
- Fwd: Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm Tom Sellers (Oct 25)
- Re: Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm Daniel Miller (Oct 25)
- Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm Tom Sellers (Oct 11)
- Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm David Fifield (Oct 11)