Cloudflare DNS-over-TLS server ignores SSLSessionReq and TLSSessionReq

[David Fifield <david () bamsoftware com>]

I tried to probe the Cloudflare DNS over TLS service at 1.1.1.1:853. It
failed because the service only supports TLSv1.2 and TLSv1.3, and it
hangs up on Nmap's SSLSessionReq probe (which is SSLv3). I also tried
adding port 853 to TLSSessionReq, which is supposed to be TLSv1.2, but
even that didn't work. Wireshark identified the TLSSessionReq probe as
"SSL 3.0", so I tried changing "^\x16\x03\0" to "^\x16\x03\x03", but
that didn't work either.

$ sudo ./nmap -p 853 --version-trace 1.1.1.1 -sV
...
Service scan sending probe SSLSessionReq to 1.1.1.1:853 (tcp)
...
NSOCK INFO [6.6290s] nsock_trace_handler_callback(): Callback: READ EOF for EID 34 [1.1.1.1:853]
...
Service scan sending probe TLSSessionReq to 1.1.1.1:853 (tcp)
...
NSOCK INFO [6.7070s] nsock_trace_handler_callback(): Callback: READ EOF for EID 58 [1.1.1.1:853]
...
PORT    STATE SERVICE   VERSION
853/tcp open  domain-s?

Here's documentation on the service.
https://developers.cloudflare.com/1.1.1.1/dns-over-tls/
        Cloudflare supports DNS over TLS on 1.1.1.1 and 1.0.0.1 on port
        853. The certificate presented is for cloudflare-dns.com.

        Cloudflare’s DNS over TLS supports TLS 1.3 and TLS 1.2.

Here's a test showing OpenSSL's s_client able to connect with TLSv1.2,
but not TLSv1.0 or TLSv1.1.
        $ openssl s_client -tls1 -connect 1.1.1.1:853
        SSL handshake has read 0 bytes and written 102 bytes
        $ openssl s_client -tls1_1 -connect 1.1.1.1:853
        SSL handshake has read 0 bytes and written 102 bytes
        $ openssl s_client -tls1_2 -connect 1.1.1.1:853
        SSL handshake has read 2632 bytes and written 269 bytes
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/