NSE: Need advice on pulling SSL cert used for TLS connection over SMTP port 25

[Tom Sellers <nmap () fadedcode net>]

Ok, I have been messing around with trying to pull the SSL cert that is
being used for the TLS connection over port 25.  After a couple questions
from David I have basically decided that I am probably making this much
harder than it has to be and wasting time.

Basically I am trying to gather information about the SSL certificate that
is being used for a SMTP over TLS connection on port 25.  The problem is that
the session starts out non-SSL.  Once the connection is made, and if the
server supports it, the client issues the STARTTLS command and then a TLS
connection is negotiated.

This port is different than 465 where the whole conversation starts out and
is encapsulated with SSL/TLS.

I have tried connecting to port 25 with a socket, getting to STARTTLS and
then trying to use get_ssl_certificate() but I think at that point it expects
that the SSL tunnel has already been negotiated.

My last effort involved modifying ssl-cert.nse to work on port 25, then
if the SSL session errored out on port 25/smtp I would open a fresh socket,
toss EHLO at it, vet the response and then send STARTTLS.  If that is all
good I tried grabbing the cert..

Any thoughts on kicking off the SSL negotiation on a existing socket or any
thing else that would help for that matter.

Thanks much,
Tom

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org