Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] SSL Fingerprint Matching
From: Fyodor <fyodor () insecure org>
Date: Thu, 6 Jan 2011 22:05:27 -0800

On Thu, Jan 06, 2011 at 11:00:05PM +0200, Toni Ruottu wrote:
So the options are 1) send the file with nmap and have it work out of
box, 2) provide the file separately, and 3) provide a bigger nmap
deluxe release that has the file in it. What do you think is the way
to go?

I think the Debian SSL blacklist DB is too large to include with Nmap,
but an "external" category script could query an external DB service
to see if a given key is on the list.  Of course the script would not
convey the IP address, certificate common name, or other details
beyond the key hash to the checker webapp.  It would be nice for the
script to be able to use a local file instead if the user has
downloaded it.  The NSEDoc could explain where to get the local file.

We could include all other interesting SSL keys with the script unless
we encounter another large class of them.

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]