Nmap Development mailing list archives
Re: [nmap-svn] r36581 - nmap/scripts
From: Daniel Miller <bonsaiviking () gmail com>
Date: Sat, 25 Feb 2017 20:13:42 -0600
Rob, No, the cause of the trouble here was that the server was choosing to issue all TLS alert messages with the TLSv1.1 record layer, even if we tried to initiate a TLSv1.2 handshake. In some cases, it would even fall back to TLSv1.1 if an offered cipher was supported for that version but not for TLSv1.2. That alone would be fine except it would happen even if the record layer version we used was higher than TLSv1.1. So we never got as far as certificate parsing. I do thank you for catching that unusual case, though. Dan On Sat, Feb 25, 2017 at 7:12 AM, Rob Nicholls <robert () robnicholls co uk> wrote:
Hi Dan, I followed the link and saw the output from Nmap 7.40 that was missing the list of TLSv1.2 ciphers. Did the person try using an SVN build at any point? I had a similar issue where SSLv3 was omitted from the ssl-enum-ciphers output even though support for an MD5 cipher was still flagged as a warning (despite no MD5 ciphers being listed in the output, which is why I spotted the inconsistency and investigated further) until I'd made the change that I'd committed in r36559. I'm wondering if your change in r36581 might fix the root cause of the issue I encountered (and I wonder if YTKColumba would have seen the TLSv1.2 output if they'd tried an SVN version with my workaround). I seem to recall seeing similar handshake failures in the debug output (plus I temporarily added my own debug output to see where/why it was failing), but due to the environment I was testing I couldn't remove any data (I had to write what was thankfully only a 6 line fix on a Post-it note and type it back up again) or do any further investigation once I'd left site. Rob -----Original Message----- From: svn [mailto:svn-bounces () nmap org] On Behalf Of commit-mailer () nmap org Sent: 24 February 2017 15:48 To: svn () nmap org Subject: [nmap-svn] r36581 - nmap/scripts Author: dmiller Date: Fri Feb 24 07:47:48 2017 New Revision: 36581 Log: Don't consider protocol mismatch for alerts other than protocol_version to be a protocol rejection. http://serverfault.com/q/832207/112426 Modified: nmap/scripts/ssl-enum-ciphers.nse Modified: nmap/scripts/ssl-enum-ciphers.nse ============================================================ ================ == --- nmap/scripts/ssl-enum-ciphers.nse (original) +++ nmap/scripts/ssl-enum-ciphers.nse Fri Feb 24 07:47:48 2017 @@ -605,8 +605,11 @@ if alert then ctx_log(2, protocol, "Got alert: %s", alert.body[1].description) if alert["protocol"] ~= protocol then - ctx_log(1, protocol, "Protocol rejected.") - protocol_worked = nil + ctx_log(1, protocol, "Protocol mismatch (received %s)", alert.protocol) + -- Sometimes this is not an actual rejection of the protocol. Check specifically: + if get_body(alert, "description", "protocol_version") then + protocol_worked = nil + end break elseif get_body(alert, "description", "handshake_failure") then protocol_worked = true _______________________________________________ Sent through the svn mailing list https://nmap.org/mailman/listinfo/svn _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- RE: [nmap-svn] r36581 - nmap/scripts Rob Nicholls (Feb 25)
- Re: [nmap-svn] r36581 - nmap/scripts Daniel Miller (Feb 25)