Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Proposed SSL version detection probe changes

From: Fyodor <fyodor () insecure org>
Date: Mon, 16 Feb 2009 23:53:04 -0800
On Mon, Feb 09, 2009 at 10:33:44PM +0100, Kristof Boeynaems wrote:

On Sun, Feb 8, 2009 at 7:06 PM,  <doug () hcsw org> wrote:

Instead of trying to fingerprint the SSL response, I think it is more 
robust to simply *recognize* SSL, and then reconnect with an SSL probe
to get more information on the application behind SSL.


This is our general approach now.  We do recognize some SSL apps
directly, as that helps for the dwindling number of Nmap users without
SSL support.


2. Rewrite the SSL connection engine to take the exact SSL version
detected by the probes (e.g. "sslv2", "sslv3" or "tlsv1"), and create
the correct SSL connection (that is, SSLv2-compatible (SSLv23),
TLSv1-only or SSLv3-only).
An additional requirement for this step is that the extended SSL
connection support can also be integrated with Ncat, of course (as
this is how it all started, see
http://seclists.org/nmap-dev/2009/q1/0319.html ;))

Any thoughts on this approach?


I agree that we should make sure Nsock can connect to any reasonable
SSL servers.  Have you found any SSL servers on the Internet for which
browsers can connect, but ncat and/or version detection (they use the
same SSL connection creation calls) can't?

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: