Re: [PATCH] Always list SSL in case any SSL connection succeeded

[David Fifield <david () bamsoftware com>]

On Tue, Feb 24, 2009 at 10:34:59PM +0100, Kristof Boeynaems wrote:
> Kristof Boeynaems wrote:
> > David Fifield wrote:
> > <snip>
> > > One more thing: In the test you described, the output should be
> > > "ssl/unknown?", not "ssl/unknown". Leaving off the question mark makes
> > > it look as if the port was positively identified. It's confusing in this
> > > case because the port is named "unknown", but that name comes from the
> > > nmap-services file. If you repeat the s_server experiment with port 80
> > > you'll see what I mean. The output should be "ssl/http?", not "ssl/http"
> > > or "http?".
> >
> > Good point. I'll look into that once we have agreed on where we should  
> > make the change :)
>
> Mmm, I had a look, and it seems that the behavior is slightly different  
> than you describe. Did you really get those results after applying the  
> patch? I am unable to reproduce those.
>
> I believe that with the patch, the test case above will always return  
> "ssl/unknown", no matter the port.
> It will always default to line 476 in output.cc, thus adding "unknown"  
> to the "ssl/" string set earlier.

Those aren't results from your patch, just incorrect examples to clarify
what I think the output should be. Your patch does return "ssl/unknown"
regardless of the port as you say, but I think this is inconsistent with
how non-SSL ports are presented.

> Nevertheless, if you prefer "ssl/unknown?" for these cases, we can  
> probably change it there.

When port 80 is scanned without SSL, and the service sends nothing back,
the result is "http?", not "unknown". So I think when SSL is running on
port 80, the result should be "ssl/http?", not "ssl/unknown".

# ncat -l localhost 80
$ nmap -sV -p 80 localhost
PORT   STATE SERVICE VERSION
80/tcp open  http?

For the record, this is what I get with your patch:

# openssl s_server -cert test-cert.pem -key test-key.pem -accept 80
$ ./nmap -sV -p 80 localhost
PORT   STATE SERVICE     VERSION
80/tcp open  ssl/unknown

# openssl s_server -cert test-cert.pem -key test-key.pem
$ ./nmap -sV -p 4433 localhost
PORT     STATE SERVICE     VERSION
4433/tcp open  ssl/unknown

I think those two cases should be, respectively

PORT   STATE SERVICE   VERSION
80/tcp open  ssl/http?

PORT     STATE SERVICE      VERSION
4433/tcp open  ssl/unknown?

Though you can also make a case for "ssl/unknown" in the second case.

> However, while "ssl/http" would indeed not be acceptable, I think  
> "ssl/unknown" is better than "ssl/unknown?", as we are sure that there  
> is "something" behind ssl (and we are sure that we don't know what ;)).
> I am afraid that displaying "ssl/unknown?" might give the impression  
> that even the "ssl/" part is doubtful.

Maybe it's justified to treat a port named "unknown" as a special case
and not print the question mark, as if the port were not in
nmap-services at all. Changing "ssl/http?" to "ssl/unknown", however,
throws away information. Normally when Nmap can't determine the version
of a service, it at least gives you a guess based on the name from
nmap-services, and marks it as a guess by adding the question mark. This
should work the same way in the SSL case as in the non-SSL case.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org