Nmap Development mailing list archives
Re: SSL support in Ncat - confusing server parameters and client version issue
From: Kristof Boeynaems <kristof.boeynaems () gmail com>
Date: Sun, 8 Feb 2009 14:38:18 +0100
On Sun, Feb 8, 2009 at 11:37 AM, Brandon Enright <bmenrigh () ucsd edu> wrote:
SSL connect errors should be rare enough that it is okay to take the extra time to try the other connect options. I know I'd prefer to fingerprint/scan more comprehensively at the cost of a tiny bit of speed. Are the changes needed as simple as calling other ..._client_method() routines if the first returns an error? Are there any other repercussions to doing this?
Hi Brandon, Thanks for picking this up. Based on some testing, this type of problem does not seem to return a very specific error. In these cases, the SSL_connect() call in nsock_core.c seems to fail with sslerr == SSL_ERROR_SYSCALL and rc == 0. We might try to act on that. Additionally, we might use the SSL_set_ssl_method() method (http://www.openssl.org/docs/ssl/SSL_CTX_set_ssl_version.html) to change the connection method of the current SSL object (and thus reusing the object). This seems to be the best idea. Alternatively, we might use the SSL_CTX_set_ssl_version() method (also listed on that page) to change the sslnfo->ctx and then create a new SSL object from this new context. This will affect all new SSL objects created based on this context though, which is more likely to have repercussions on other functionality. Note that I did not try the changes proposed above; this is mainly based on information I found in the OpenSSL documentation referred above. I do not feel sufficiently versed in the nmap code to write a patch myself. Thanks, Kristof _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 07)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue Brandon Enright (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue David Fifield (Feb 17)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 18)
- Re: SSL support in Ncat - client version issue: what do other apps do? David Fifield (Feb 17)
- Re: SSL support in Ncat - client version issue: what do other apps do? Kristof Boeynaems (Feb 17)
- Re: SSL support in Ncat - client version issue: what do other apps do? David Fifield (Feb 18)
- Re: SSL support in Ncat - confusing server parameters and client version issue Brandon Enright (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 08)
- Re: SSL support in Ncat - confusing server parameters David Fifield (Feb 27)