New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nsock: infinite loop "reconnecting with SSL_OP_NO_SSLv2" #1488
Comments
I think the issue here is that the
Which is what I observed after this modification: diff --git a/nsock/src/nsock_core.c b/nsock/src/nsock_core.c
index 117e0aa7e..01ad10749 100644
--- a/nsock/src/nsock_core.c
+++ b/nsock/src/nsock_core.c
@@ -484,7 +484,12 @@ void handle_connect_result(struct npool *ms, struct nevent *nse, enum nse_status
if (!iod->ssl)
fatal("SSL_new failed: %s", ERR_error_string(ERR_get_error(), NULL));
+ printf("options=%x\n",options);
+ printf("options | SSL_OP_NO_SSLv2=%x\n",(options | SSL_OP_NO_SSLv2));
+ printf("SSL_OP_NO_SSLv2=%x\n",SSL_OP_NO_SSLv2);
+ printf("OPTIONS BEFORE: %x\n", SSL_get_options(iod->ssl));
SSL_set_options(iod->ssl, options | SSL_OP_NO_SSLv2);
+ printf("OPTIONS AFTER: %x\n", SSL_get_options(iod->ssl));
socket_count_read_inc(nse->iod);
socket_count_write_inc(nse->iod);
update_events(iod, ms, nse, EV_READ|EV_WRITE, EV_NONE); -> options=80120854
options | SSL_OP_NO_SSLv2=80120854
SSL_OP_NO_SSLv2=0
OPTIONS BEFORE: 80120854
OPTIONS AFTER: 80120854
NSOCK INFO [0.6130s] handle_connect_result(): EID 9 reconnecting with SSL_OP_NO_SSLv2 Therefore, this is always true hence the infinite loop: Line 462 in 12f1894
|
Thanks for catching this! It looks like OpenSSL prefers the |
Good idea! Something like this? diff --git a/nsock/src/nsock_core.c b/nsock/src/nsock_core.c
index 117e0aa7e..76983b08b 100644
--- a/nsock/src/nsock_core.c
+++ b/nsock/src/nsock_core.c
@@ -459,15 +459,15 @@ void handle_connect_result(struct npool *ms, struct nevent *nse, enum nse_status
nse->sslinfo.ssl_desire = sslerr;
socket_count_write_inc(iod);
update_events(iod, ms, nse, EV_WRITE, EV_NONE);
- } else if (!(options & SSL_OP_NO_SSLv2)) {
+ } else if (!(SSL_get_min_proto_version(iod->ssl) >= SSL3_VERSION)) {
int saved_ev;
/* SSLv3-only and TLSv1-only servers can't be connected to when the
- * SSL_OP_NO_SSLv2 option is not set, which is the case when the pool
- * was initialized with nsock_pool_ssl_init_max_speed. Try reconnecting
- * with SSL_OP_NO_SSLv2. Never downgrade a NO_SSLv2 connection to one
- * that might use SSLv2. */
- nsock_log_info("EID %li reconnecting with SSL_OP_NO_SSLv2", nse->id);
+ * SSLv2 version is proposed, which might be case when the pool
+ * was initialized with nsock_pool_ssl_init_max_speed.
+ * Try reconnecting with minimum version SSL3_VERSION (no SSLv2).
+ * Never downgrade a NO_SSLv2 connection to one that might use SSLv2. */
+ nsock_log_info("EID %li reconnecting with minium version: SSL3_VERSION", nse->id);
saved_ev = iod->watched_events;
nsock_engine_iod_unregister(ms, iod);
@@ -478,13 +478,16 @@ void handle_connect_result(struct npool *ms, struct nevent *nse, enum nse_status
/* Use SSL_free here because SSL_clear keeps session info, which
* doesn't work when changing SSL versions (as we're clearly trying to
- * do by adding SSL_OP_NO_SSLv2). */
+ * do by setting a minimum version). */
SSL_free(iod->ssl);
iod->ssl = SSL_new(ms->sslctx);
if (!iod->ssl)
fatal("SSL_new failed: %s", ERR_error_string(ERR_get_error(), NULL));
- SSL_set_options(iod->ssl, options | SSL_OP_NO_SSLv2);
+ rc = SSL_set_min_proto_version(iod->ssl, SSL3_VERSION);
+ if (rc == 0)
+ nsock_log_error("Uh-oh: SSL_set_min_proto_version() failed - please tell dev@nmap.org");
+
socket_count_read_inc(nse->iod);
socket_count_write_inc(nse->iod);
update_events(iod, ms, nse, EV_READ|EV_WRITE, EV_NONE); I'm testing against a mock server with the command below, but it seems to fail anyway. Same with #1489. Let me check
|
Nevermind, I'm confusing it with another issue #1490 At least with this patch it doesn't go in a loop:
|
That's closer, but the getter functions aren't available before 1.1.1, and the setter functions aren't available before 1.1.0. We need to maintain compatibility back to 1.0.2 at least. |
I see... Hum hum, how to do that the best 🤔 |
If you have any hint or pointer I can try something :) |
I could be missing something but I do not see why a simple conditional compilation is not perfectly sufficient. See #1873 |
In
nsock_core.c
there's a feature to try reconnect with theSSL_OP_NO_SSLv2
option in some cases:nmap/nsock/src/nsock_core.c
Lines 462 to 470 in 12f1894
The problem is that this triggers infinite loops every time there's an SSL error, but unrelated.
For example I had this with a server presenting a weak DH key (now refused by recent openssl), cf. #1485
Now, I've observed it when running the
ssl-cert
script against a SSL server that requires a client certificate (with latest version from source):Confirmation that the problem comes from a required client cert:
The text was updated successfully, but these errors were encountered: