Nmap Development mailing list archives
Re: SSL support in Ncat - client version issue: what do other apps do?
From: David Fifield <david () bamsoftware com>
Date: Tue, 17 Feb 2009 22:37:34 -0700
On Sun, Feb 08, 2009 at 02:38:18PM +0100, Kristof Boeynaems wrote:
On Sun, Feb 8, 2009 at 11:37 AM, Brandon Enright <bmenrigh () ucsd edu> wrote: Additionally, we might use the SSL_set_ssl_method() method (http://www.openssl.org/docs/ssl/SSL_CTX_set_ssl_version.html) to change the connection method of the current SSL object (and thus reusing the object). This seems to be the best idea. Alternatively, we might use the SSL_CTX_set_ssl_version() method (also listed on that page) to change the sslnfo->ctx and then create a new SSL object from this new context. This will affect all new SSL objects created based on this context though, which is more likely to have repercussions on other functionality.
I looked at the source code of some other applications to see how they handle SSL client connections. None that I found use the fallback/retry technique that has been discussed (and implemented at http://seclists.org/nmap-dev/2009/q1/0430.html). Wget only supports one client method at a time, but it provides command-line options to choose which method to use. If you say --secure-protocol=auto, it uses SSLv23_client_method, if you say --secure-protocol=TLSv1, it uses TLSv1_client_method, etc. See src/openssl.c. http://www.gnu.org/software/wget/manual/html_node/HTTPS-_0028SSL_002fTLS_0029-Options.html cURL is the same, only supporting one method at a time but providing options --tlsv1, --sslv2, --sslv3. If none of those are given the SSLv23_client_method method is used. See lib/ssluse.c. socat again only supports one method per connection. It has a method option to choose which one is used: method=SSLv2, method=SSLv23, etc. See xio-openssl.c. http://www.dest-unreach.org/socat/doc/socat.html#GROUP_OPENSSL That seems to be a common solution: provide SSL version selection for use against those servers that require it, and use SSLv23_client_method by default. Doing this would be adequate for Ncat's needs. Nmap's version detection is another story. You may hit servers requiring any version of SSL during a single run, so it's not enough to have one global setting. Falling back to different client methods is a good solution if the implementation can be worked out. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 07)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue Brandon Enright (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue David Fifield (Feb 17)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 18)
- Re: SSL support in Ncat - client version issue: what do other apps do? David Fifield (Feb 17)
- Re: SSL support in Ncat - client version issue: what do other apps do? Kristof Boeynaems (Feb 17)
- Re: SSL support in Ncat - client version issue: what do other apps do? David Fifield (Feb 18)
- Re: SSL support in Ncat - confusing server parameters and client version issue Brandon Enright (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 08)
- Re: SSL support in Ncat - confusing server parameters David Fifield (Feb 27)