Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: [nmap-svn] r36581 - nmap/scripts

From: "Rob Nicholls" <robert () robnicholls co uk>
Date: Sat, 25 Feb 2017 13:12:44 -0000
Hi Dan,

I followed the link and saw the output from Nmap 7.40 that was missing the
list of TLSv1.2 ciphers. Did the person try using an SVN build at any point?
I had a similar issue where SSLv3 was omitted from the ssl-enum-ciphers
output even though support for an MD5 cipher was still flagged as a warning
(despite no MD5 ciphers being listed in the output, which is why I spotted
the inconsistency and investigated further) until I'd made the change that
I'd committed in r36559.

I'm wondering if your change in r36581 might fix the root cause of the issue
I encountered (and I wonder if YTKColumba would have seen the TLSv1.2 output
if they'd tried an SVN version with my workaround). I seem to recall seeing
similar handshake failures in the debug output (plus I temporarily added my
own debug output to see where/why it was failing), but due to the
environment I was testing I couldn't remove any data (I had to write what
was thankfully only a 6 line fix on a Post-it note and type it back up
again) or do any further investigation once I'd left site.

Rob

-----Original Message-----
From: svn [mailto:svn-bounces () nmap org] On Behalf Of commit-mailer () nmap org
Sent: 24 February 2017 15:48
To: svn () nmap org
Subject: [nmap-svn] r36581 - nmap/scripts

Author: dmiller
Date: Fri Feb 24 07:47:48 2017
New Revision: 36581

Log:
Don't consider protocol mismatch for alerts other than protocol_version to
be a protocol rejection. http://serverfault.com/q/832207/112426

Modified:
   nmap/scripts/ssl-enum-ciphers.nse

Modified: nmap/scripts/ssl-enum-ciphers.nse
============================================================================
==
--- nmap/scripts/ssl-enum-ciphers.nse   (original)
+++ nmap/scripts/ssl-enum-ciphers.nse   Fri Feb 24 07:47:48 2017
@@ -605,8 +605,11 @@
       if alert then
         ctx_log(2, protocol, "Got alert: %s", alert.body[1].description)
         if alert["protocol"] ~= protocol then
-          ctx_log(1, protocol, "Protocol rejected.")
-          protocol_worked = nil
+          ctx_log(1, protocol, "Protocol mismatch (received %s)",
alert.protocol)
+          -- Sometimes this is not an actual rejection of the protocol.
Check specifically:
+          if get_body(alert, "description", "protocol_version") then
+            protocol_worked = nil
+          end
           break
         elseif get_body(alert, "description", "handshake_failure") then
           protocol_worked = true

_______________________________________________
Sent through the svn mailing list
https://nmap.org/mailman/listinfo/svn


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: