Nmap Development mailing list archives

Re: [NSE] Convert ssl-known-key to use sslcert.lua

From: Daniel Miller <bonsaiviking () gmail com>
Date: Sat, 7 Jul 2012 16:58:47 -0500

One more question before I commit this: Should ssl-known-key be in the
default category? Network-wise, it's very minimal, especially after
sslcert integration. The only limitation I'd think would be that it
stores a fairly large table in the nmap.registry, which could increase
memory usage somewhat. Any thoughts?

Dan

On Sat, Jul 7, 2012 at 6:04 AM, David Fifield <david () bamsoftware com> wrote:

On Fri, Jul 06, 2012 at 04:21:50PM -0500, Daniel Miller wrote:

List,

I'm about to commit this patch, which converts ssl-known-key.nse to
use the sslcert library, which will allow it to use the cached
certificate for a service, avoiding extra SSL connections. This will
also allow it to get certificates for services that use STARTTLS or
other methods that the sslcert library understands, instead of just
a straight SSL-over-TCP connection.

index bc65df8..7346fe7 100644
--- a/scripts/ssl-known-key.nse
+++ b/scripts/ssl-known-key.nse
@@ -2,6 +2,7 @@ local io = require "io"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
+local sslcert = require "sslcert"

-- -*- mode: lua -*-
-- vim: set filetype=lua :
@@ -112,17 +113,11 @@ action = function(host, port)
       end
       local fingerprints = result

-       -- Connect to host.
-       local sock = nmap.new_socket()
-       local status, err = sock:connect(host, port, "ssl")
-       if not status then
-               stdnse.print_debug(1, "Failed to connect: %s", err)
-               return
-       end
-
       -- Get SSL certificate.
-       local cert = sock:get_ssl_certificate()
-       sock:close()
+       local status, cert = sslcert.getCertificate(host, port)
+  if not status then
+    stdnse.print_debug(2, "sslcert.getCertificate error: %s", cert)
+  end
       if not cert:digest("sha1") then
               stdnse.print_debug(2, "Certificate does not have a
SHA-1 fingerprint.")
               return


Any thoughts or comments would be appreciated.


Sounds like a good idea to me.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] Convert ssl-known-key to use sslcert.lua Daniel Miller (Jul 06)
- Re: [NSE] Convert ssl-known-key to use sslcert.lua David Fifield (Jul 07)
  - Re: [NSE] Convert ssl-known-key to use sslcert.lua Daniel Miller (Jul 07)
    - Re: [NSE] Convert ssl-known-key to use sslcert.lua David Fifield (Jul 07)
    - Re: [NSE] Convert ssl-known-key to use sslcert.lua Daniel Miller (Jul 07)