[nse] #212 - http.get_url makes plain text request for HTTPS urls

[jah <jah () zadkiel plus com>]

List,

Issue [#212] on github is reproduced below. The first HTTP request made by an NSE script which calls http.get_url with 
an https url is a plaintext request, instead of an encrypted one.

I'm not sure of the best way to solve it.

jah

[#212]: https://github.com/nmap/nmap/issues/212

- http.get_url parses the url to produce a port table: {service: "https", number: 443}
- http.request is eventually called with the port table and this is passed to comm.tryssl
- comm.tryssl passes the port table to comm.bestoption, which calls comm.is_ssl, which calls shortport.ssl
- shortport.ssl calls shortport.port_or_service which returns false because both the port_checker and service_checker 
demand that port.state be either "open" or "open|filtered", but port.state is not set in this case
- thus comm.tryssl uses opts.proto="tcp" instead of "ssl" when calling comm.opencon

I can think of four fixes:-

1. shortport.includes, used by the checker functions, could return true if a nil value is being checked for inclusion 
in a set
2. the shortport checker functions could avoid testing port.state for inclusion in a set of states if port.state is not 
set (and return true when the other demands are met).
3. http.get_url could add port.state="open" after parsing its url argument.
4. http.request could set port.state

Doing option 3 seems appropriate, but it doesn't help script writers using other http.lua functions such as get or 
head.  Option 1 seems like the right thing to do, except that it arguably violates the principle of least surprise.  
Options 2 and 4 are probably not the appropriate places to solve this problem.

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/