Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

SSL issues

From: Patrik Karlsson <patrik () cqure net>
Date: Sat, 12 Oct 2013 11:59:26 -0400
List,

I noticed the following behaviour when working on some changes for ssl-cert.
When scanning svn.nmap.org by name or IP everything works as expected.
However, scanning the same host using the hostname www.nmap.org fails.
The command I'm using: nmap -p 443 --script ssl-cert www.nmap.org -d3

This is the result I'm getting:
NSOCK INFO [0.6970s] handle_connect_result(): EID 9 reconnecting with
SSL_OP_NO_SSLv2
NSOCK INFO [0.9840s] handle_connect_result(): EID 9 error:14077458:SSL
routines:SSL23_GET_SERVER_HELLO:reason(1112)
NSOCK INFO [0.9840s] nsock_trace_handler_callback(): Callback: SSL-CONNECT
ERROR [Input/output error (5)] for EID 9 [173.255.243.189:443]

It appears that the server returns a TLSv1 warning with "unrecognized name"
and if I comment the following code the script gives me the same result as
if scanning by IP.

#if HAVE_SSL_SET_TLSEXT_HOST_NAME
      if (iod->hostname != NULL) {
        if (SSL_set_tlsext_host_name(iod->ssl, iod->hostname) != 1)
          fatal("SSL_set_tlsext_host_name failed: %s",
ERR_error_string(ERR_get_error(), NULL));
      }
#endif

I'm not sure if this is the behaviour we want? If that is the case we may
want to return a more descriptive error message.

-Patrik

-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
http://www.linkedin.com/in/nevdull77
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: