Nmap Development mailing list archives

Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm

From: David Fifield <david () bamsoftware com>
Date: Sat, 11 Oct 2014 16:30:50 -0700

On Sat, Oct 11, 2014 at 06:24:25PM -0500, Tom Sellers wrote:

All,
  There's been a lot of press recently about Google and Mozilla
  becoming more aggressive about how they handle x509 certificates
  that have been signed using SHA-1. To assist with detecting SHA-1
  signed certificates I have created and attached a patch that adds
  the signature algorithm that was used to sign the target's x509
  certificate to the output of the 'ssl-cert.nse'.  I am not a C coder
  so the modifications to 'nse_ssl_cert.cc' may need a bit of
  tweaking. Also, the ordering of elements may need to be adjusted.
  To reduce user confusion I purposely did not place the Signature
  Algorithm output near the MD5 and SHA-1 hashes.  Those values are
  'fingerprints', or for Microsoft products: thumbprints, and are
  generated by ssl-cert.nse.


Cool, what are the possible outputs? You have sha256WithRSAEncryption
and ecdsa-with-SHA384; what values should someone auditing for SHA-1
look for?

Be sure to update the @output and @xmloutput sections in the
documentation.

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm Tom Sellers (Oct 11)
- Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm David Fifield (Oct 11)
  - Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm Tom Sellers (Oct 11)
    - Fwd: Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm Tom Sellers (Oct 25)
    - Re: Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm Daniel Miller (Oct 25)