Re: SSL support in Ncat - confusing server parameters and client version issue

[Kristof Boeynaems <kristof.boeynaems () gmail com>]

On Sun, Feb 8, 2009 at 11:37 AM, Brandon Enright <bmenrigh () ucsd edu> wrote:

> SSL connect errors should be rare enough that it is okay to take the
> extra time to try the other connect options.  I know I'd prefer to
> fingerprint/scan more comprehensively at the cost of a tiny bit of
> speed.
>
> Are the changes needed as simple as calling other ..._client_method()
> routines if the first returns an error?  Are there any other
> repercussions to doing this?

Hi Brandon,

Thanks for picking this up.

Based on some testing, this type of problem does not seem to return a
very specific error. In these cases, the SSL_connect() call in
nsock_core.c seems to fail with sslerr == SSL_ERROR_SYSCALL and rc ==
0. We might try to act on that.

Additionally, we might use the SSL_set_ssl_method() method
(http://www.openssl.org/docs/ssl/SSL_CTX_set_ssl_version.html) to
change the connection method of the current SSL object (and thus
reusing the object). This seems to be the best idea.
Alternatively, we might use the SSL_CTX_set_ssl_version() method (also
listed on that page) to change the sslnfo->ctx and then create a new
SSL object from this new context. This will affect all new SSL objects
created based on this context though, which is more likely to have
repercussions on other functionality.

Note that I did not try the changes proposed above; this is mainly
based on information I found in the OpenSSL documentation referred
above. I do not feel sufficiently versed in the nmap code to write a
patch myself.

Thanks,

Kristof

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org