Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

[NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm

From: Tom Sellers <nmap () fadedcode net>
Date: Sat, 11 Oct 2014 18:24:25 -0500
All,
  There's been a lot of press recently about Google and Mozilla becoming more aggressive about how they handle x509 
certificates that have been signed using SHA-1. To assist with detecting SHA-1
signed certificates I have created and attached a patch that adds the signature algorithm that was used to sign the 
target's x509 certificate to the output of the 'ssl-cert.nse'.  I am not a C coder
so the modifications to 'nse_ssl_cert.cc' may need a bit of tweaking. Also, the ordering of elements may need to be 
adjusted.  To reduce user confusion I purposely did not place the Signature
Algorithm output near the MD5 and SHA-1 hashes.  Those values are 'fingerprints', or for Microsoft products: 
thumbprints, and are generated by ssl-cert.nse.

Here is some sample output of RSA and ECDSA certificates with SHA256 and SHA384 signatures.


PORT    STATE SERVICE REASON
443/tcp open  https   syn-ack ttl 54
| ssl-cert: Subject: commonName=www.cloudflare.com/organizationName=CloudFlare, 
Inc./stateOrProvinceName=California/countryName=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private
Organization/serialNumber=4710875/organizationalUnitName=Internet Security and 
Acceleration/1.3.6.1.4.1.311.60.2.1.3=US/streetAddress=665 3rd St./localityName=San Francisco
| Issuer: commonName=GlobalSign Extended Validation CA - SHA256 - G2/organizationName=GlobalSign nv-sa/countryName=BE
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2014-04-10T19:47:02
| Not valid after:  2015-01-05T13:37:49
| MD5:   5f65 2c25 b737 73ad 4ce0 6d18 8973 89c7
| SHA-1: c430 e21b 8cff 8590 cada af93 62d0 9a8b fb94 9c4f
| -----BEGIN CERTIFICATE-----
<snip>
|_-----END CERTIFICATE-----


443/tcp open  https   syn-ack ttl 118
| ssl-cert: Subject: commonName=somehostwithdsa.myorg.com/organizationalUnitName=Persona Not Verified
| Issuer: commonName=Entrust ECC Demonstration CA/organizationName=Entrust, 
Inc./countryName=US/organizationalUnitName=For Test Purposes Only
| Public Key type: ec
| Public Key bits: 256
| Signature Algorithm: ecdsa-with-SHA384
| Not valid before: 2014-08-13T19:53:53
| Not valid after:  2014-10-12T20:23:53
| MD5:   81f1 4516 a138 a481 dbc0 19a9 0516 8224
| SHA-1: 3196 25df 15b3 9ec2 7232 44a4 80d8 53cf e3f9 a12f
| -----BEGIN CERTIFICATE-----
<snip>
|_-----END CERTIFICATE-----


Feedback is appreciated.

If approved I will commit the change.

Thanks much,

Tom Sellers

Attachment: ssl-cert_sig-algo-20141011.patch
Description: 

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: