Re: SSL support in Ncat - confusing server parameters and client version issue

[David Fifield <david () bamsoftware com>]

On Sun, Feb 08, 2009 at 02:38:18PM +0100, Kristof Boeynaems wrote:
> On Sun, Feb 8, 2009 at 11:37 AM, Brandon Enright <bmenrigh () ucsd edu> wrote:
> > SSL connect errors should be rare enough that it is okay to take the
> > extra time to try the other connect options.  I know I'd prefer to
> > fingerprint/scan more comprehensively at the cost of a tiny bit of
> > speed.
> >
> > Are the changes needed as simple as calling other ..._client_method()
> > routines if the first returns an error?  Are there any other
> > repercussions to doing this?
>
> Based on some testing, this type of problem does not seem to return a
> very specific error. In these cases, the SSL_connect() call in
> nsock_core.c seems to fail with sslerr == SSL_ERROR_SYSCALL and rc ==
> 0. We might try to act on that.

In my testing I did see SSL_ERROR_SYSCALL but also other values. See
below.

> Additionally, we might use the SSL_set_ssl_method() method
> (http://www.openssl.org/docs/ssl/SSL_CTX_set_ssl_version.html) to
> change the connection method of the current SSL object (and thus
> reusing the object). This seems to be the best idea.
> Alternatively, we might use the SSL_CTX_set_ssl_version() method (also
> listed on that page) to change the sslnfo->ctx and then create a new
> SSL object from this new context. This will affect all new SSL objects
> created based on this context though, which is more likely to have
> repercussions on other functionality.

I made a small test program to test out this strategy. Compile it with

        cc -g  ssl_method.c -lssl -o ssl_method

Here's a sample of its output against different server versions.

$ openssl s_server -key test-key.pem -cert test-cert.pem
$ ./ssl_method localhost 4433
Attempting connection with method SSLv23_client_method.
Connected to 127.0.0.1:4433.
SSL handshake completed.

$ openssl s_server -key test-key.pem -cert test-cert.pem -tls1
$ ./ssl_method localhost 4433
Attempting connection with method SSLv23_client_method.
Connected to 127.0.0.1:4433.
Error in SSL_connect (rc 0, err 0, ssl_err 5, errno 0).
error:00000005:lib(0):func(0):DH lib
Attempting connection with method TLSv1_client_method.
Connected to 127.0.0.1:4433.
SSL handshake completed.

$ openssl s_server -key test-key.pem -cert test-cert.pem -ssl3
$ ./ssl_method localhost 4433
Attempting connection with method SSLv23_client_method.
Connected to 127.0.0.1:4433.
Error in SSL_connect (rc 0, err 0, ssl_err 5, errno 0).
error:00000005:lib(0):func(0):DH lib
Attempting connection with method TLSv1_client_method.
Connected to 127.0.0.1:4433.
Error in SSL_connect (rc -1, err 336130315, ssl_err 1, errno 0).
error:00000005:lib(0):func(0):DH lib
Attempting connection with method SSLv3_client_method.
Connected to 127.0.0.1:4433.
SSL handshake completed.

The technique of calling SSL_set_ssl_method with each different client
method does work. It is fairly awkward as you have to bring up a new
socket every time. For that reason it would not be easy to build into
Nsock, but the idea is still sound.

David Fifield

Attachment: ssl_method.c
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org