Nmap Development mailing list archives

Re: Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm

From: Daniel Miller <bonsaiviking () gmail com>
Date: Sat, 25 Oct 2014 13:46:05 -0500

Tom,

This looks great, too! This is an important piece of info that we
should be checking for. Feel free to commit it.

By the way, my current wishlist regarding SSL/TLS parameter detection is:

1. DH parameter strength
2. More vulnerability checks (BEAST, CRIME, Lucky13)
3. Unified scoring system probably based on Qualys's excellent SSL
Server Rating Guide.
3. DV, OV, and EV certs (requires checking for a ton of different OIDs
depending on CA)

Dan

On Sat, Oct 25, 2014 at 6:40 AM, Tom Sellers <nmap () fadedcode net> wrote:

Dan,

  Could you take a look at the updated patch for this?  Having this
functionality included would greatly help with some surveys I am
doing.

Thanks much,

Tom Sellers


-------- Original Message --------
Subject: Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm
Date: Sat, 11 Oct 2014 19:10:20 -0500
From: Tom Sellers <nmap () fadedcode net>
To: Nmap-dev <dev () nmap org>

On 10/11/2014 6:30 PM, David Fifield wrote:

On Sat, Oct 11, 2014 at 06:24:25PM -0500, Tom Sellers wrote:

All,
  There's been a lot of press recently about Google and Mozilla
  becoming more aggressive about how they handle x509 certificates
  that have been signed using SHA-1. To assist with detecting SHA-1
  signed certificates I have created and attached a patch that adds
  the signature algorithm that was used to sign the target's x509
  certificate to the output of the 'ssl-cert.nse'.  I am not a C coder
  so the modifications to 'nse_ssl_cert.cc' may need a bit of
  tweaking. Also, the ordering of elements may need to be adjusted.
  To reduce user confusion I purposely did not place the Signature
  Algorithm output near the MD5 and SHA-1 hashes.  Those values are
  'fingerprints', or for Microsoft products: thumbprints, and are
  generated by ssl-cert.nse.


Cool, what are the possible outputs? You have sha256WithRSAEncryption
and ecdsa-with-SHA384; what values should someone auditing for SHA-1
look for?

Be sure to update the @output and @xmloutput sections in the
documentation.



The standard SHA1 looks like 'sha1WithRSAEncryption'.  There doesn't
seem to a be a clean and easy to read list of the IDs that OpenSSL uses.
I will link a few docs with them at the end of the email.

Common ones appear to be:

md5WithRSAEncryption
sha1WithRSAEncryption
sha256WithRSAEncryption

I have updated the patch with the @output and @xmloutput changes.  Thanks
for pointing that out, I'm pretty rusty at this point.

Tom

Links -
https://github.com/openssl/openssl/blob/master/crypto/objects/objects.txt
https://github.com/openssl/openssl/blob/master/crypto/objects/objects.h









_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm Tom Sellers (Oct 11)
- Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm David Fifield (Oct 11)
  - Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm Tom Sellers (Oct 11)
    - Fwd: Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm Tom Sellers (Oct 25)
    - Re: Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm Daniel Miller (Oct 25)