Nmap Development mailing list archives
Re: SSL issues
From: Patrik Karlsson <patrik () cqure net>
Date: Sun, 13 Oct 2013 21:45:18 -0400
Hi, I'm responding to my own e-mail. Turns out this has nothing to do with Nmap but rather with the version of openssl I was using. Turns out the default SSL on my Macbook is 0.9.8r and it seems to have the following issue; http://rt.openssl.org/Ticket/Display.html?id=3038&user=guest&pass=guest What happens is that the "Unrecognized name" warning is treated as an error aborting the connection. If I specify the openssl which I have in ports 1.0.1e using the --with-openssl configuration directive, the problem does not exist. Either way this is somewhat annoying and I'm not sure what to do about it at this point? -Patrik On Sat, Oct 12, 2013 at 11:59 AM, Patrik Karlsson <patrik () cqure net> wrote:
List, I noticed the following behaviour when working on some changes for ssl-cert. When scanning svn.nmap.org by name or IP everything works as expected. However, scanning the same host using the hostname www.nmap.org fails. The command I'm using: nmap -p 443 --script ssl-cert www.nmap.org -d3 This is the result I'm getting: NSOCK INFO [0.6970s] handle_connect_result(): EID 9 reconnecting with SSL_OP_NO_SSLv2 NSOCK INFO [0.9840s] handle_connect_result(): EID 9 error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112) NSOCK INFO [0.9840s] nsock_trace_handler_callback(): Callback: SSL-CONNECT ERROR [Input/output error (5)] for EID 9 [173.255.243.189:443] It appears that the server returns a TLSv1 warning with "unrecognized name" and if I comment the following code the script gives me the same result as if scanning by IP. #if HAVE_SSL_SET_TLSEXT_HOST_NAME if (iod->hostname != NULL) { if (SSL_set_tlsext_host_name(iod->ssl, iod->hostname) != 1) fatal("SSL_set_tlsext_host_name failed: %s", ERR_error_string(ERR_get_error(), NULL)); } #endif I'm not sure if this is the behaviour we want? If that is the case we may want to return a more descriptive error message. -Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77 http://www.linkedin.com/in/nevdull77
-- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77 http://www.linkedin.com/in/nevdull77 _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- SSL issues Patrik Karlsson (Oct 12)
- Re: SSL issues Patrik Karlsson (Oct 13)