Change: handle Fatal alert during handshake. (#1035)

**Why**: This would make users aware that there is some kind of connectivity issue to the server, be it some strange SSL/TLS configuration or a required client certificate. **How**: ``` $ mkdir -p /tmp/ssl $ cd /tmp/ssl $ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes $ openssl s_server -tls1_2 -key key.pem -cert cert.pem -CAfile cert.pem -accept 8443 -www -Verify 1 openvas-nasl -X -B -d -t 127.0.0.1 -i $VTDIR find_service.nasl --kb="Ports/tcp/8443=1" ```
greenbone · Feb 21, 2022 · 21680c3 · 21680c3
1 parent e64e5f6
commit 21680c3
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 3 deletions.
diff --git a/misc/network.c b/misc/network.c
@@ -580,7 +580,8 @@ is_ip_address (const char *str)
  *              - INSECURE_DH_PRIME_BITS
  *
  * @return 1 on success. -1 on general error or timeout. -2 if DH prime bits on
- * server side are lower than minimum allowed.
+ * server side are lower than minimum allowed. -3 on Fatal alert received from
+ * server
  *
  */
 static int
@@ -669,13 +670,20 @@ open_SSL_connection (openvas_connection *fp, const char *cert, const char *key,
                      gnutls_strerror (err));
           return -2;
         }
-      else if (err != GNUTLS_E_INTERRUPTED && err != GNUTLS_E_AGAIN
-               && err != GNUTLS_E_WARNING_ALERT_RECEIVED)
+      else if (err == GNUTLS_E_FATAL_ALERT_RECEIVED)
         {
           g_debug ("[%d] gnutls_handshake: %s", getpid (),
                    gnutls_strerror (err));
+          return -3;
+        }
+      else if (err != GNUTLS_E_INTERRUPTED && err != GNUTLS_E_AGAIN
+               && err != GNUTLS_E_WARNING_ALERT_RECEIVED)
+        {
+          g_debug ("[%d] gnutls_handshake: %s, %d", getpid (),
+                   gnutls_strerror (err), err);
           return -1;
         }
+
       FD_ZERO (&fdr);
       FD_SET (fp->fd, &fdr);
       FD_ZERO (&fdw);

diff --git a/nasl/nasl_builtin_find_service.c b/nasl/nasl_builtin_find_service.c
@@ -1619,6 +1619,14 @@ plugin_do_run (struct script_infos *desc, GSList *h, int test_ssl)
                 }
               else if (cnx < 0 && test_ssl)
                 {
+                  if (cnx == -3)
+                    {
+                      host_fqdn = plug_get_host_fqdn (desc);
+                      g_message ("%s: A TLS fatal alert has been received "
+                                 "during the handshake with %s:%d",
+                                 __func__, host_fqdn, port);
+                      g_free (host_fqdn);
+                    }
                   trp = OPENVAS_ENCAPS_IP;
                   gettimeofday (&tv1, NULL);
                   cnx = open_stream_connection (desc, port, trp, cnx_timeout);