Nmap Development mailing list archives
Re: Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm
From: Daniel Miller <bonsaiviking () gmail com>
Date: Sat, 25 Oct 2014 13:46:05 -0500
Tom, This looks great, too! This is an important piece of info that we should be checking for. Feel free to commit it. By the way, my current wishlist regarding SSL/TLS parameter detection is: 1. DH parameter strength 2. More vulnerability checks (BEAST, CRIME, Lucky13) 3. Unified scoring system probably based on Qualys's excellent SSL Server Rating Guide. 3. DV, OV, and EV certs (requires checking for a ton of different OIDs depending on CA) Dan On Sat, Oct 25, 2014 at 6:40 AM, Tom Sellers <nmap () fadedcode net> wrote:
Dan, Could you take a look at the updated patch for this? Having this functionality included would greatly help with some surveys I am doing. Thanks much, Tom Sellers -------- Original Message -------- Subject: Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm Date: Sat, 11 Oct 2014 19:10:20 -0500 From: Tom Sellers <nmap () fadedcode net> To: Nmap-dev <dev () nmap org> On 10/11/2014 6:30 PM, David Fifield wrote:On Sat, Oct 11, 2014 at 06:24:25PM -0500, Tom Sellers wrote:All, There's been a lot of press recently about Google and Mozilla becoming more aggressive about how they handle x509 certificates that have been signed using SHA-1. To assist with detecting SHA-1 signed certificates I have created and attached a patch that adds the signature algorithm that was used to sign the target's x509 certificate to the output of the 'ssl-cert.nse'. I am not a C coder so the modifications to 'nse_ssl_cert.cc' may need a bit of tweaking. Also, the ordering of elements may need to be adjusted. To reduce user confusion I purposely did not place the Signature Algorithm output near the MD5 and SHA-1 hashes. Those values are 'fingerprints', or for Microsoft products: thumbprints, and are generated by ssl-cert.nse.Cool, what are the possible outputs? You have sha256WithRSAEncryption and ecdsa-with-SHA384; what values should someone auditing for SHA-1 look for? Be sure to update the @output and @xmloutput sections in the documentation.The standard SHA1 looks like 'sha1WithRSAEncryption'. There doesn't seem to a be a clean and easy to read list of the IDs that OpenSSL uses. I will link a few docs with them at the end of the email. Common ones appear to be: md5WithRSAEncryption sha1WithRSAEncryption sha256WithRSAEncryption I have updated the patch with the @output and @xmloutput changes. Thanks for pointing that out, I'm pretty rusty at this point. Tom Links - https://github.com/openssl/openssl/blob/master/crypto/objects/objects.txt https://github.com/openssl/openssl/blob/master/crypto/objects/objects.h _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm Tom Sellers (Oct 11)
- Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm David Fifield (Oct 11)
- Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm Tom Sellers (Oct 11)
- Fwd: Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm Tom Sellers (Oct 25)
- Re: Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm Daniel Miller (Oct 25)
- Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm Tom Sellers (Oct 11)
- Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm David Fifield (Oct 11)