Nmap Development mailing list archives
RE: Missing support for TLS server_name on Windows
From: "Rob Nicholls" <robert () robnicholls co uk>
Date: Fri, 24 Feb 2017 23:26:38 -0000
I believe HAVE_SSL_SET_TLSEXT_HOST_NAME is defined using Nsock's configure script when building Nmap on Linux, based on the capabilities of the version of OpenSSL we're telling Nmap to include, so checking for the TLS extension within nsock_core.c makes sense as support for it could change (otherwise non-Windows people could be more likely to hit fatal errors if we don't do the check). People appear to be far less likely to build or include their own version of OpenSSL on Windows. I presume most people that build Nmap are using our binaries supplied in nmap-mswin32-aux. I've not double checked, but it makes sense that modern (1.0+) versions of OpenSSL support SNI by default, which is presumably why your hardcoded changes work okay. But it does mean if someone decided to compile their own (pre-1.0 or a non-default modern) version of OpenSSL without support for that TLS extension then they could more easily change the #define from 1 to 0 to match their crazy configuration instead of having to hack out the code in nsock_core.c (or have them hit a fatal error). I have no idea why they would do something like that, but then again I also have no idea why anyone would want to compile Nmap without SSL support. Either way, it does sound like a necessary fix to ensure the correct certificate is returned on Windows, especially as I have encountered some cloud based web servers that require SNI. I'd go with your first suggestion for fixing it. Rob -----Original Message----- From: dev [mailto:dev-bounces () nmap org] On Behalf Of nnposter Sent: 24 February 2017 20:24 To: dev () nmap org Subject: Missing support for TLS server_name on Windows When running on Windows, Nsock currently does not provide support for TLS extension server_name, which has a large impact on successfully scanning TLS services. There are two ways how to fix it. Please see https://github.com/nmap/nmap/issues/700 for details. Cheers, nnposter _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/ _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Missing support for TLS server_name on Windows nnposter (Feb 24)
- RE: Missing support for TLS server_name on Windows Rob Nicholls (Feb 24)
- Re: Missing support for TLS server_name on Windows nnposter (Feb 24)
- RE: Missing support for TLS server_name on Windows Rob Nicholls (Feb 24)