Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SSL issues

From: Patrik Karlsson <patrik () cqure net>
Date: Sun, 13 Oct 2013 21:45:18 -0400
Hi,

I'm responding to my own e-mail. Turns out this has nothing to do with Nmap
but rather with the version of openssl I was using.
Turns out the default SSL on my Macbook is 0.9.8r and it seems to have the
following issue;
http://rt.openssl.org/Ticket/Display.html?id=3038&user=guest&pass=guest

What happens is that the "Unrecognized name" warning is treated as an error
aborting the connection.
If I specify the openssl which I have in ports 1.0.1e using the
--with-openssl configuration directive, the problem does not exist.
Either way this is somewhat annoying and I'm not sure what to do about it
at this point?

-Patrik


On Sat, Oct 12, 2013 at 11:59 AM, Patrik Karlsson <patrik () cqure net> wrote:


List,

I noticed the following behaviour when working on some changes for
ssl-cert.
When scanning svn.nmap.org by name or IP everything works as expected.
However, scanning the same host using the hostname www.nmap.org fails.
The command I'm using: nmap -p 443 --script ssl-cert www.nmap.org -d3

This is the result I'm getting:
NSOCK INFO [0.6970s] handle_connect_result(): EID 9 reconnecting with
SSL_OP_NO_SSLv2
NSOCK INFO [0.9840s] handle_connect_result(): EID 9 error:14077458:SSL
routines:SSL23_GET_SERVER_HELLO:reason(1112)
NSOCK INFO [0.9840s] nsock_trace_handler_callback(): Callback: SSL-CONNECT
ERROR [Input/output error (5)] for EID 9 [173.255.243.189:443]

It appears that the server returns a TLSv1 warning with "unrecognized
name" and if I comment the following code the script gives me the same
result as if scanning by IP.

#if HAVE_SSL_SET_TLSEXT_HOST_NAME
      if (iod->hostname != NULL) {
        if (SSL_set_tlsext_host_name(iod->ssl, iod->hostname) != 1)
          fatal("SSL_set_tlsext_host_name failed: %s",
ERR_error_string(ERR_get_error(), NULL));
      }
#endif

I'm not sure if this is the behaviour we want? If that is the case we may
want to return a more descriptive error message.

-Patrik

--
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
http://www.linkedin.com/in/nevdull77






-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
http://www.linkedin.com/in/nevdull77
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: