Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Missing support for TLS server_name on Windows

From: nnposter <nnposter () users sourceforge net>
Date: Fri, 24 Feb 2017 17:48:53 -0700
Hello Rob,
Since both you and Dan prefer adding the #define then I have put this in
now (r36586).

Cheers,
nnposter


On 2/24/17 4:26 PM, Rob Nicholls wrote:

I believe HAVE_SSL_SET_TLSEXT_HOST_NAME is defined using Nsock's configure
script when building Nmap on Linux, based on the capabilities of the version
of OpenSSL we're telling Nmap to include, so checking for the TLS extension
within nsock_core.c makes sense as support for it could change (otherwise
non-Windows people could be more likely to hit fatal errors if we don't do
the check).

People appear to be far less likely to build or include their own version of
OpenSSL on Windows. I presume most people that build Nmap are using our
binaries supplied in nmap-mswin32-aux. I've not double checked, but it makes
sense that modern (1.0+) versions of OpenSSL support SNI by default, which
is presumably why your hardcoded changes work okay.

But it does mean if someone decided to compile their own (pre-1.0 or a
non-default modern) version of OpenSSL without support for that TLS
extension then they could more easily change the #define from 1 to 0 to
match their crazy configuration instead of having to hack out the code in
nsock_core.c (or have them hit a fatal error). I have no idea why they would
do something like that, but then again I also have no idea why anyone would
want to compile Nmap without SSL support.

Either way, it does sound like a necessary fix to ensure the correct
certificate is returned on Windows, especially as I have encountered some
cloud based web servers that require SNI. I'd go with your first suggestion
for fixing it.

Rob

-----Original Message-----
From: dev [mailto:dev-bounces () nmap org] On Behalf Of nnposter
Sent: 24 February 2017 20:24
To: dev () nmap org
Subject: Missing support for TLS server_name on Windows

When running on Windows, Nsock currently does not provide support for TLS
extension server_name, which has a large impact on successfully scanning TLS
services.

There are two ways how to fix it.

Please see https://github.com/nmap/nmap/issues/700 for details.

Cheers,
nnposter


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: