Re: [PATCH] Extended SSL support in Nmap

[doug () hcsw org]

Hi Kristof,

Thanks for looking into version detection/SSL so deeply. There are usually
a few fingerprints for SSL services that weren't properly matched though
I think recent versions of Nmap have gotten better because it mostly seems
to be outdated nmap versions that send these.

Would it be possible to keep the SSLSessionReq probe name? The thing is
that we often get fingerprints from old versions of Nmap and they will
all use the probe name SSLSessionReq which will make it difficult to
test them against an nmap-service-probes that doesn't have this probe.

I like how your patch doesn't modify the probe string sent by the SSL
probe. This is good because there are other non-SSL services that are
matched by the SSLSessionReq probe. If the probe string changed it
might obsolete those match lines and we'd have to start over with those
services. Off the top of my head, AFP and tor are two services matched
by this probe.

Anyways your patch is looking good as it sounds like it will increase
Nmap's SSL coverage. But this could potentially be a big change so we
should make sure we think it all the way through. And of course any
modifications to the system need to be documented:

http://nmap.org/book/vscan-post-processors.html#vscan-ssl-postprocess

I think at least it will need to be made clear that there are multiple
services that will be passed to SSL post processing (if available),
not just ssl but now tlsv1, sslv3, sslv2, etc. As Fyodor said it might
make more sense just to keep using ssl for everything unless there's a
really compelling reason otherwise.

Hope this helps,

Doug

Attachment: _bin
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org