Re: SSL support in Ncat - confusing server parameters and client version issue

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 8 Feb 2009 11:25:07 +0100 or thereabouts Kristof Boeynaems
<kristof.boeynaems () gmail com> wrote:

> > Am I missing something, or does Ncat indeed not support pure TLSv1
> > and SSLv3 servers?

Hi Kristof,

I mentioned this issue (as it related to Nessus wrapped in SSL) in
http://seclists.org/nmap-dev/2008/q2/0702.html

I'm glad you've done more digging and provided really useful info.

I tend to think we should try in order, SSLv23, TLSv1 and then SSLv3.
Do the OpenSSL routines report the connect error nicely so that this
fallback is fast?

I know when I use s_client I get errors like this:

$ openssl s_client -connect 127.0.0.1:1241
CONNECTED(00000003)
7640:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188: 


SSL connect errors should be rare enough that it is okay to take the
extra time to try the other connect options.  I know I'd prefer to
fingerprint/scan more comprehensively at the cost of a tiny bit of
speed.

Are the changes needed as simple as calling other ..._client_method()
routines if the first returns an error?  Are there any other
repercussions to doing this?

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkmOtfgACgkQqaGPzAsl94KP4gCgiop+iiHCFQTOv4xh7J9M1OzZ
LnQAn1rZEsG2DUPla54NA9idpOtfr+kc
=Ktg7
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org