Nmap Development mailing list archives
Re: SSL support in Ncat - client version issue: what do other apps do?
From: Kristof Boeynaems <kristof.boeynaems () gmail com>
Date: Wed, 18 Feb 2009 08:41:55 +0100
On Wed, Feb 18, 2009 at 6:37 AM, David Fifield <david () bamsoftware com> wrote:
I looked at the source code of some other applications to see how they handle SSL client connections. None that I found use the fallback/retry technique that has been discussed (and implemented at http://seclists.org/nmap-dev/2009/q1/0430.html). Wget only supports one client method at a time, but it provides command-line options to choose which method to use. If you say --secure-protocol=auto, it uses SSLv23_client_method, if you say --secure-protocol=TLSv1, it uses TLSv1_client_method, etc. See src/openssl.c. http://www.gnu.org/software/wget/manual/html_node/HTTPS-_0028SSL_002fTLS_0029-Options.html cURL is the same, only supporting one method at a time but providing options --tlsv1, --sslv2, --sslv3. If none of those are given the SSLv23_client_method method is used. See lib/ssluse.c. socat again only supports one method per connection. It has a method option to choose which one is used: method=SSLv2, method=SSLv23, etc. See xio-openssl.c. http://www.dest-unreach.org/socat/doc/socat.html#GROUP_OPENSSL That seems to be a common solution: provide SSL version selection for use against those servers that require it, and use SSLv23_client_method by default.
David, Thanks for this list, very interesting! Accidentally I bumped into a post where Nessus discusses the exact same problem: http://list.nessus.org/pipermail/nessus-devel/2002-February/msg00002.html. Not sure how they currently implement it, but apparently in 2002, the plan was to try 4 different connections.
Doing this would be adequate for Ncat's needs. Nmap's version detection is another story. You may hit servers requiring any version of SSL during a single run, so it's not enough to have one global setting. Falling back to different client methods is a good solution if the implementation can be worked out.
Agree, for Ncat, a mere option should be adequate, while for Nmap we really need to try the right connection method. E.g. by using probing information as described in my post at http://seclists.org/nmap-dev/2009/q1/0350.html. In any case, Nsock would have to be extended to support a SSLv3 and TLSv1 connect method. Cheers, Kristof _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 07)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue Brandon Enright (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue David Fifield (Feb 17)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 18)
- Re: SSL support in Ncat - client version issue: what do other apps do? David Fifield (Feb 17)
- Re: SSL support in Ncat - client version issue: what do other apps do? Kristof Boeynaems (Feb 17)
- Re: SSL support in Ncat - client version issue: what do other apps do? David Fifield (Feb 18)
- Re: SSL support in Ncat - confusing server parameters and client version issue Brandon Enright (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 08)
- Re: SSL support in Ncat - confusing server parameters David Fifield (Feb 27)