Re: --proxies oddities

[Henri Doreau <henri.doreau () gmail com>]

2013/4/30 David Fifield <david () bamsoftware com>:
> http-title works, ssl-cert doesn't.
>
> [...]
>
> I can accept that maybe there is a technical reason why ssl-cert isn't
> working, because the socket it has isn't really an SSL socket.
> http-title on an HTTPS port doesn't seem to work either.
>
> ./nmap --proxies=socks4://localhost:9050 -n -Pn --script=http-title -p 443 secwiki.org -d
>
> David Fifield

Yeah, I know about this one... and I'm not sure what to do.

As you said, the current architecture of nsock doesn't make it easy at
all to properly hook SSL connection requests, as it internally already
mixes several operations. I think not supporting it for now is better
than having super intrusive checks everywhere in the code.

I don't think that we should accept this limitation forever though.
First because it's annoying, second because it has no actual reason to
be. I plan to rework nsock SSL code, I'll make a design proposal here
when ready. Proper proxy support is one of the goals.

What do we want meanwhile? I'm not sure, given the very early stage of
the proxy support... I can make nsock_connect_ssl() return a
NSE_STATUS_ERROR[1] if nsp->px_chain != NULL for instance. What do you
think?

Regards


[1] for those who aren't familiar with nsock internals, "NSE" stands
for "nsock event" here and has nothing to do with the scripting
engine. It's sort of confusing and could be renamed to "NEV" maybe

--
Henri
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/