Nmap Development mailing list archives
Re: SSL support in Ncat - confusing server parameters and client version issue
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Sun, 8 Feb 2009 10:37:43 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, 8 Feb 2009 11:25:07 +0100 or thereabouts Kristof Boeynaems <kristof.boeynaems () gmail com> wrote:
Am I missing something, or does Ncat indeed not support pure TLSv1 and SSLv3 servers?
Hi Kristof, I mentioned this issue (as it related to Nessus wrapped in SSL) in http://seclists.org/nmap-dev/2008/q2/0702.html I'm glad you've done more digging and provided really useful info. I tend to think we should try in order, SSLv23, TLSv1 and then SSLv3. Do the OpenSSL routines report the connect error nicely so that this fallback is fast? I know when I use s_client I get errors like this: $ openssl s_client -connect 127.0.0.1:1241 CONNECTED(00000003) 7640:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: SSL connect errors should be rare enough that it is okay to take the extra time to try the other connect options. I know I'd prefer to fingerprint/scan more comprehensively at the cost of a tiny bit of speed. Are the changes needed as simple as calling other ..._client_method() routines if the first returns an error? Are there any other repercussions to doing this? Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkmOtfgACgkQqaGPzAsl94KP4gCgiop+iiHCFQTOv4xh7J9M1OzZ LnQAn1rZEsG2DUPla54NA9idpOtfr+kc =Ktg7 -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 07)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue Brandon Enright (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue David Fifield (Feb 17)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 18)
- Re: SSL support in Ncat - client version issue: what do other apps do? David Fifield (Feb 17)
- Re: SSL support in Ncat - client version issue: what do other apps do? Kristof Boeynaems (Feb 17)
- Re: SSL support in Ncat - client version issue: what do other apps do? David Fifield (Feb 18)
- Re: SSL support in Ncat - confusing server parameters and client version issue Brandon Enright (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 08)
- Re: SSL support in Ncat - confusing server parameters David Fifield (Feb 27)