Re: [nmap-svn] r36581 - nmap/scripts

[Daniel Miller <bonsaiviking () gmail com>]

Rob,

No, the cause of the trouble here was that the server was choosing to issue
all TLS alert messages with the TLSv1.1 record layer, even if we tried to
initiate a TLSv1.2 handshake. In some cases, it would even fall back to
TLSv1.1 if an offered cipher was supported for that version but not for
TLSv1.2. That alone would be fine except it would happen even if the record
layer version we used was higher than TLSv1.1. So we never got as far as
certificate parsing. I do thank you for catching that unusual case, though.

Dan

On Sat, Feb 25, 2017 at 7:12 AM, Rob Nicholls <robert () robnicholls co uk>
wrote:

> Hi Dan,
>
> I followed the link and saw the output from Nmap 7.40 that was missing the
> list of TLSv1.2 ciphers. Did the person try using an SVN build at any
> point?
> I had a similar issue where SSLv3 was omitted from the ssl-enum-ciphers
> output even though support for an MD5 cipher was still flagged as a warning
> (despite no MD5 ciphers being listed in the output, which is why I spotted
> the inconsistency and investigated further) until I'd made the change that
> I'd committed in r36559.
>
> I'm wondering if your change in r36581 might fix the root cause of the
> issue
> I encountered (and I wonder if YTKColumba would have seen the TLSv1.2
> output
> if they'd tried an SVN version with my workaround). I seem to recall seeing
> similar handshake failures in the debug output (plus I temporarily added my
> own debug output to see where/why it was failing), but due to the
> environment I was testing I couldn't remove any data (I had to write what
> was thankfully only a 6 line fix on a Post-it note and type it back up
> again) or do any further investigation once I'd left site.
>
> Rob
>
> -----Original Message-----
> From: svn [mailto:svn-bounces () nmap org] On Behalf Of
> commit-mailer () nmap org
> Sent: 24 February 2017 15:48
> To: svn () nmap org
> Subject: [nmap-svn] r36581 - nmap/scripts
>
> Author: dmiller
> Date: Fri Feb 24 07:47:48 2017
> New Revision: 36581
>
> Log:
> Don't consider protocol mismatch for alerts other than protocol_version to
> be a protocol rejection. http://serverfault.com/q/832207/112426
>
> Modified:
>    nmap/scripts/ssl-enum-ciphers.nse
>
> Modified: nmap/scripts/ssl-enum-ciphers.nse
> ============================================================
> ================
> ==
> --- nmap/scripts/ssl-enum-ciphers.nse   (original)
> +++ nmap/scripts/ssl-enum-ciphers.nse   Fri Feb 24 07:47:48 2017
> @@ -605,8 +605,11 @@
>        if alert then
>          ctx_log(2, protocol, "Got alert: %s", alert.body[1].description)
>          if alert["protocol"] ~= protocol then
> -          ctx_log(1, protocol, "Protocol rejected.")
> -          protocol_worked = nil
> +          ctx_log(1, protocol, "Protocol mismatch (received %s)",
> alert.protocol)
> +          -- Sometimes this is not an actual rejection of the protocol.
> Check specifically:
> +          if get_body(alert, "description", "protocol_version") then
> +            protocol_worked = nil
> +          end
>            break
>          elseif get_body(alert, "description", "handshake_failure") then
>            protocol_worked = true
>
> _______________________________________________
> Sent through the svn mailing list
> https://nmap.org/mailman/listinfo/svn
>
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/