Re: Proposed SSL version detection probe changes

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 16 Feb 2009 23:53:04 -0800 or thereabouts Fyodor
<fyodor () insecure org> wrote:
...snip...
> I agree that we should make sure Nsock can connect to any reasonable
> SSL servers.  Have you found any SSL servers on the Internet for which
> browsers can connect, but ncat and/or version detection (they use the
> same SSL connection creation calls) can't?
>
> Cheers,
> -F

Some versions of Nessus, yes.  Not to long ago I did a giant SSL survey
of the Internet (many millions of hosts) and found that a small
percentage (~3%) could not be connected to with the default SSL23
probe.  I had to manually specify one of the SSL versions using
openssl s_client.

I think the overall goal is to improve the number of services Nmap
detects as SSL and increase the number of successful SSL connections
made when Nsock tries SSL.

I think the reason Kristof suggested instead of a generic "ssl"
service, to have "tlsv1", "sslv3", etc is that Nsock would need to know
which handshake to use in making the SSL connection.  If we added
additional service probes for other SSL versions but just matched them
as "ssl" then Nsock would most likely fail to connect to them
properly.  Nsock would need to be extended to know about the different
SSL versions.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkmasUcACgkQqaGPzAsl94IIuQCfTvDn7IbmtxKEb3zTGh1q/56R
SqUAoI/BSZWcQEg4lPYMXSR/32zwqpX2
=53G7
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org