Nmap Development mailing list archives
Cloudflare DNS-over-TLS server ignores SSLSessionReq and TLSSessionReq
From: David Fifield <david () bamsoftware com>
Date: Tue, 16 Oct 2018 13:19:33 -0600
I tried to probe the Cloudflare DNS over TLS service at 1.1.1.1:853. It failed because the service only supports TLSv1.2 and TLSv1.3, and it hangs up on Nmap's SSLSessionReq probe (which is SSLv3). I also tried adding port 853 to TLSSessionReq, which is supposed to be TLSv1.2, but even that didn't work. Wireshark identified the TLSSessionReq probe as "SSL 3.0", so I tried changing "^\x16\x03\0" to "^\x16\x03\x03", but that didn't work either. $ sudo ./nmap -p 853 --version-trace 1.1.1.1 -sV ... Service scan sending probe SSLSessionReq to 1.1.1.1:853 (tcp) ... NSOCK INFO [6.6290s] nsock_trace_handler_callback(): Callback: READ EOF for EID 34 [1.1.1.1:853] ... Service scan sending probe TLSSessionReq to 1.1.1.1:853 (tcp) ... NSOCK INFO [6.7070s] nsock_trace_handler_callback(): Callback: READ EOF for EID 58 [1.1.1.1:853] ... PORT STATE SERVICE VERSION 853/tcp open domain-s? Here's documentation on the service. https://developers.cloudflare.com/1.1.1.1/dns-over-tls/ Cloudflare supports DNS over TLS on 1.1.1.1 and 1.0.0.1 on port 853. The certificate presented is for cloudflare-dns.com. Cloudflare’s DNS over TLS supports TLS 1.3 and TLS 1.2. Here's a test showing OpenSSL's s_client able to connect with TLSv1.2, but not TLSv1.0 or TLSv1.1. $ openssl s_client -tls1 -connect 1.1.1.1:853 SSL handshake has read 0 bytes and written 102 bytes $ openssl s_client -tls1_1 -connect 1.1.1.1:853 SSL handshake has read 0 bytes and written 102 bytes $ openssl s_client -tls1_2 -connect 1.1.1.1:853 SSL handshake has read 2632 bytes and written 269 bytes _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Cloudflare DNS-over-TLS server ignores SSLSessionReq and TLSSessionReq David Fifield (Oct 16)
- Re: Cloudflare DNS-over-TLS server ignores SSLSessionReq and TLSSessionReq Daniel Miller (Oct 18)