Nmap Development mailing list archives
Re: [NSE] SSL certificate chain and verification
From: Jesper Kückelhahn <dev.kyckel () gmail com>
Date: Sat, 8 Jun 2013 16:24:58 +0200
Hi Patrik, I've been testing the patch a bit, and it seems like a very nice feature to add to nmap. I've listed some of the things I've noticed during my testing. 1. Would it make sense to implement the warning as table instead ? This way there could be more than one warning, such as "self signed", "expired", etc. 2. Currently the script returns "Certificate Warning: unable to get local issuer certificate" warning for certificates that have expired. Maybe this could be changed to "Certificate Warning: Certificate has expired" ? 3. Would it be possible to check if the subject CommonName matches either the supplied domain name (assuming that the supplied host is not an IP address) or the reverse lookup ? 4. If I'm understanding the verification correctly, it uses the local installation of OpenSSL to verify the certificate. If this is the case, then couldn't it be that the results of the verification might vary across different systems, depending on the version of OpenSSL and local list of trusted certificates ? Would it then make sense to include such a list of trusted certificates to nmap, so the results are consistent ? Or am I missing something in my understanding of OpenSSL's verification process ? On a side note, it seems that the output is a bit off (notice the missing newline at ssl-cert and the indentation level): " | ssl-cert: Certificate Warning: self signed certificate | Subject: commonName=xxx | Issuer: commonName=xxx | Public Key type: rsa | Public Key bits: 1024 | Not valid before: 2008-03-19T10:37:24+00:00 | Not valid after: 2018-03-17T10:37:24+00:00 " I checked the current svn revision, and it seems to generate the same output, so I don't think it's related to your patch, but I thought I'd mention it. It seems this is caused by the string output of the script, since removing ", output_str(cert)" from the return statement in "action" corrects this issue. Regards, Jesper On May 24, 2013, at 3:37 AM, Patrik Karlsson <patrik () cqure net> wrote:
Hi, The attached patch is an attempt to add the SSL certificate chain and a potential warning generated upon cert verification to the cert NSE table. It also updates the ssl-cert script to output the chain and any warning received. Running against a server with a self-signed cert should now generate a warning, while running against a site signed by a trusted CA should not. In the event you find that this works, is useful and want it committed I would appreciate if someone could take the time to review the changes thoroughly. /Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77 http://www.linkedin.com/in/nevdull77 <ssl-cert-chain.patch>_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] SSL certificate chain and verification Patrik Karlsson (May 23)
- Re: [NSE] SSL certificate chain and verification Jesper Kückelhahn (Jun 08)
- Re: [NSE] SSL certificate chain and verification Patrik Karlsson (Jun 08)
- Re: [NSE] SSL certificate chain and verification David Fifield (Jun 17)
- Re: [NSE] SSL certificate chain and verification Patrik Karlsson (Jun 08)
- Re: [NSE] SSL certificate chain and verification Jesper Kückelhahn (Jun 08)