Nmap Development mailing list archives
Re: Proposed SSL version detection probe changes
From: Fyodor <fyodor () insecure org>
Date: Mon, 16 Feb 2009 23:53:04 -0800
On Mon, Feb 09, 2009 at 10:33:44PM +0100, Kristof Boeynaems wrote:
On Sun, Feb 8, 2009 at 7:06 PM, <doug () hcsw org> wrote: Instead of trying to fingerprint the SSL response, I think it is more robust to simply *recognize* SSL, and then reconnect with an SSL probe to get more information on the application behind SSL.
This is our general approach now. We do recognize some SSL apps directly, as that helps for the dwindling number of Nmap users without SSL support.
2. Rewrite the SSL connection engine to take the exact SSL version detected by the probes (e.g. "sslv2", "sslv3" or "tlsv1"), and create the correct SSL connection (that is, SSLv2-compatible (SSLv23), TLSv1-only or SSLv3-only). An additional requirement for this step is that the extended SSL connection support can also be integrated with Ncat, of course (as this is how it all started, see http://seclists.org/nmap-dev/2009/q1/0319.html ;)) Any thoughts on this approach?
I agree that we should make sure Nsock can connect to any reasonable SSL servers. Have you found any SSL servers on the Internet for which browsers can connect, but ncat and/or version detection (they use the same SSL connection creation calls) can't? Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Proposed SSL version detection probe changes Kristof Boeynaems (Feb 08)
- Re: Proposed SSL version detection probe changes doug (Feb 08)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Feb 09)
- Re: Proposed SSL version detection probe changes Brandon Enright (Feb 09)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Feb 10)
- Re: Proposed SSL version detection probe changes Fyodor (Feb 16)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Feb 09)
- Re: Proposed SSL version detection probe changes Fyodor (Feb 16)
- Re: Proposed SSL version detection probe changes Brandon Enright (Feb 17)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Feb 17)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Feb 17)
- Re: Proposed SSL version detection probe changes Brandon Enright (Feb 17)
- Re: Proposed SSL version detection probe changes Brandon Enright (Feb 17)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Feb 18)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Feb 21)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Mar 21)
- Re: Proposed SSL version detection probe changes doug (Feb 08)