-
Notifications
You must be signed in to change notification settings - Fork 605
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add flag to set cipher suite preferences on a TLS session (#1020)
* Add the definitions to set preferences which can't be set via the priority string * Extend open_stream_conenction_ext() to receive the new bit flag variable for setting cipher suite preferences on a TLS session * Forward the flag variable to set the TLS preferences or use NO_PRIORITY_FLAGS, as required for each case. * Catch the GNUTLS_E_DH_PRIME_UNACCEPTABLE error during the handshake and return -2 to allow caller functions to handle this especial case. * Handle the case GNUTLS_E_DH_PRIME_UNACCEPTABLE error. Retry with a lower prime bits number. For this, use the new bit flag variable. What: Currently, when the scanner opens a TLS session, cipher suite preferences can be set only via the priority string. Other preferences can be set via functions. This PR extends the open_stream_connection_ext() function to accept a flag which allows to set other preferences (e.g. the number of bits, for use in a Diffie-Hellman key exchange) Jira: SC-441 Why: nasl_builtin_find_service.c fails to detect SSL/TLS service because, in this particular case, the server sends a prime of 512 bits, and the client limit is 1008 (set with the NORMAL priority). This PR handles this error and set a new minimum (128) and retries to open the TLS connection. How: sudo openvas-nasl -X -B -d -i $PLUGINSPATH -t TARGET find_service.nasl --kb="Ports/tcp/443=1" --debug-tls=9 [19893] (1) FFDHE groups advertised, but server didn't support it; falling back to server's choice [19893] (2) Received a prime of 512 bits, limit is 1008 lib misc-Message: 03:36:31.165: replace key FindService/CnxTime1000/443 -> 45 lib misc-Message: 03:36:31.166: set key Transports/TCP/443 -> 1 lib misc-Message: 03:36:51.279: set key Services/unknown -> 443 With the PR: [19263] (1) FFDHE groups advertised, but server didn't support it; falling back to server's choice [19263] (2) Received a prime of 512 bits, limit is 1008 lib misc-Message: 03:19:20.218: [19263] gnutls_handshake: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). [19263] (1) Note that the security level of the Diffie-Hellman key exchange has been lowered to 128 bits and this may allow decryption of the session data lib misc-Message: 03:37:38.525: replace key FindService/RwTime1000/443 -> 101 lib misc-Message: 03:37:38.525: replace key FindService/tcp/443/get_http -> HTTP/1.0 200 OK Date: Sat, 01 Jan 2011 00:00:53 GMT Server: Embedded HTTP Server. Connection: close Content-Length: 107 Last-Modified: Fri, 28 Feb 2014 14:53:02 GMT Content-Type: text/html <HTML><HEAD><meta http-equiv="refresh" content="0; URL=/scgi-bin/platform.cgi"></HEAD><BODY></BODY></HTML> lib misc-Message: 03:37:38.525: set key Services/www -> 443 lib misc-Message: 03:37:38.525: replace key Known/tcp/443 -> www lib misc-Message: 03:37:38.525: replace key www/banner/443 -> HTTP/1.0 200 OK Date: Sat, 01 Jan 2011 00:00:53 GMT Server: Embedded HTTP Server. Connection: close Content-Length: 107 Last-Modified: Fri, 28 Feb 2014 14:53:02 GMT Content-Type: text/html <HTML><HEAD><meta http-equiv="refresh" content="0; URL=/scgi-bin/platform.cgi"></HEAD><BODY></BODY></HTML> (cherry picked from commit 8186bb6)
- Loading branch information
Showing
4 changed files
with
72 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters