Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: ssl-enum-ciphers support for TLS extensions
From: Daniel Miller <bonsaiviking () gmail com>
Date: Mon, 27 Jan 2014 21:15:20 -0600


This is really cool! I had forgotten about your previous message,
though I'm sure it was subconsciously influencing me as I split out
the tls.lua library. I'm pretty busy at the moment, but I'll give a
shot to merging the two concepts. Hopefully I can have it done within
a week or so.


On Mon, Jan 27, 2014 at 8:35 PM, David Fifield <david () bamsoftware com> wrote:
On Sat, Dec 28, 2013 at 02:03:05PM -0800, David Fifield wrote:
Here are some patches that add support for some TLS extensions in

The server_name extension (RFC 6066), also known as Server Name
Indication or SNI, indicates the name of the virtual host you are trying
to contact. The value is taken from the host.targetname field and is
omitted if you are scanning an IP address. It may be that servers change
their offered ciphersuites depending on the virtual host you are trying
to contact; for example https://wiki.apache.org/httpd/NameBasedSSLVHosts
has an SSLCipherSuite specification inside a VirtualHost.

The elliptic_curves and ec_point_formats extensions (RFC 4492) describe
elliptic curve crypto parameters supported by the client. It may be that
servers may change the ciphersuites offered to the client based on the
curves and point formats the client claims to support. I made the script
claim to support every curve and point format mentioned in RFC 4492.

In running some big scans using these extensions, we found that many
servers issue a warning alert when they get an SNI they don't expect.
This happens often when scanning a www target versus a non-www target or
vice versa. The script treats all alerts as a fatal error, so there
would be no output shown for these hosts, even though they were fine
other than the alert.

Here are some new patches to make ssl-enum-ciphers ignore warning

The new tls.lua library also implements extensions, in a way
incompatible with these patches. I'm not sure what to do about that.
I've only rebased these patches up to r32649, before tls.lua was split
out and modified.

David Fifield

Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/
Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]