You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I ran into a server that has multiple certs configured depending on the negotiated cipher suite. From RFC 5246#7.4.2:
If the server has multiple certificates, it chooses one of them based
on the above-mentioned criteria (in addition to other criteria, such
as transport layer endpoint, local configuration and preferences,
etc.).
ssl-cert uses the librarysslcert.lua's getCertificate() but there are some issues:
Library assumes there is only 1 cert per host/port in the cache
More importantly, I suspect the function socket:get_ssl_certificate() includes all cipher suites in the ClientHello. Its equivalent non-openssl function: handshake_cert() definitely does (by calling tls.client_hello() without options). So the server will always return the same one, probably the one associated with the most secure suite (or some other criteria).
However, if you debug print the cert retrieved by script ssl-enum-ciphers, which probes with multiple ClientHello with different/smaller set of cipher suites, you will see that there could be different certs on such a server.
It would be great if ssl-cert can enumerate all the certs configured on a server.
The text was updated successfully, but these errors were encountered:
I ran into a server that has multiple certs configured depending on the negotiated cipher suite. From RFC 5246#7.4.2:
ssl-cert uses the library
sslcert.lua
's getCertificate() but there are some issues:socket:get_ssl_certificate()
includes all cipher suites in the ClientHello. Its equivalent non-openssl function:handshake_cert()
definitely does (by callingtls.client_hello()
without options). So the server will always return the same one, probably the one associated with the most secure suite (or some other criteria).However, if you debug print the cert retrieved by script
ssl-enum-ciphers
, which probes with multiple ClientHello with different/smaller set of cipher suites, you will see that there could be different certs on such a server.It would be great if
ssl-cert
can enumerate all the certs configured on a server.The text was updated successfully, but these errors were encountered: