mailing list archives
Re: ssl-enum-ciphers support for TLS extensions
From: David Fifield <david () bamsoftware com>
Date: Mon, 27 Jan 2014 18:35:36 -0800
On Sat, Dec 28, 2013 at 02:03:05PM -0800, David Fifield wrote:
Here are some patches that add support for some TLS extensions in
The server_name extension (RFC 6066), also known as Server Name
Indication or SNI, indicates the name of the virtual host you are trying
to contact. The value is taken from the host.targetname field and is
omitted if you are scanning an IP address. It may be that servers change
their offered ciphersuites depending on the virtual host you are trying
to contact; for example https://wiki.apache.org/httpd/NameBasedSSLVHosts
has an SSLCipherSuite specification inside a VirtualHost.
The elliptic_curves and ec_point_formats extensions (RFC 4492) describe
elliptic curve crypto parameters supported by the client. It may be that
servers may change the ciphersuites offered to the client based on the
curves and point formats the client claims to support. I made the script
claim to support every curve and point format mentioned in RFC 4492.
In running some big scans using these extensions, we found that many
servers issue a warning alert when they get an SNI they don't expect.
This happens often when scanning a www target versus a non-www target or
vice versa. The script treats all alerts as a fatal error, so there
would be no output shown for these hosts, even though they were fine
other than the alert.
Here are some new patches to make ssl-enum-ciphers ignore warning
The new tls.lua library also implements extensions, in a way
incompatible with these patches. I'm not sure what to do about that.
I've only rebased these patches up to r32649, before tls.lua was split
out and modified.
Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/
- Re: ssl-enum-ciphers support for TLS extensions David Fifield (Jan 28)