Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] SSL certificate chain and verification

From: Jesper Kückelhahn <dev.kyckel () gmail com>
Date: Sat, 8 Jun 2013 16:24:58 +0200
Hi Patrik,

I've been testing the patch a bit, and it seems like a very nice feature to  add to nmap. I've listed some of the 
things I've noticed during my testing.      

1. Would it make sense to implement the warning as table instead ? This way there could be more than one warning, such 
as "self signed",  "expired",  etc.
2. Currently the script returns "Certificate Warning: unable to get local issuer certificate" warning for certificates 
that have expired. Maybe this could be changed to "Certificate Warning: Certificate has expired" ?
3. Would it be possible to check if the subject CommonName matches either the supplied domain name (assuming that the 
supplied host is not an IP address) or the reverse lookup ?
4. If I'm understanding the verification correctly, it uses the local installation of OpenSSL to verify the 
certificate. If this is the case, then couldn't it be that the results of the verification might vary across different 
systems, depending on the version of OpenSSL and local list of trusted certificates ? Would it then make sense to 
include such a list of trusted certificates to nmap, so the results are consistent ? Or am I missing something in my 
understanding of OpenSSL's verification process ?

On a side note, it seems that the output is a bit off (notice the missing newline at ssl-cert and the indentation 
level):
"
| ssl-cert: Certificate Warning: self signed certificate
| Subject: commonName=xxx
| Issuer: commonName=xxx
| Public Key type: rsa
| Public Key bits: 1024
| Not valid before: 2008-03-19T10:37:24+00:00
| Not valid after:  2018-03-17T10:37:24+00:00
"
I checked the current svn revision, and it seems to generate the same output, so I don't think it's related to your 
patch, but I thought I'd mention it. It seems this is caused by the string output of the script, since removing ", 
output_str(cert)" from the return statement in "action" corrects this issue.


Regards,
  Jesper

  

On May 24, 2013, at 3:37 AM, Patrik Karlsson <patrik () cqure net> wrote:


Hi,

The attached patch is an attempt to add the SSL certificate chain and a
potential warning generated upon cert verification to the cert NSE table.
It also updates the ssl-cert script to output the chain and any warning
received. Running against a server with a self-signed cert should now
generate a warning, while running against a site signed by a trusted CA
should not.

In the event you find that this works, is useful and want it committed I
would appreciate if someone could take the time to review the changes
thoroughly.

/Patrik

-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
http://www.linkedin.com/in/nevdull77
<ssl-cert-chain.patch>_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: