Join GitHub today
[NSE] sslcert.lua - problems with LDAP Services #531
There are two issues with
STARTTLS vs version detection
When version detection is used against an
Since this issue is due to the version detection changing the label to something in the STARTTLS table and version detection will know the tunnel type at this point I have a commit that fixes this problem by checking to see if the
The LDAP STARTTLS related request is not encoded correctly. It was being encoded as a standard ASN.1 octet string ( tag 0x04 ). This failed to work and was not parsed as valid in Wireshark.
oid = ldap.encode("220.127.116.11.4.1.1466.20037") ldapRequest = ldap.encodeLDAPOp(ExtendedRequest, true, oid) ldapRequestId = ldap.encode(1)
Per RFC4511 Section 4.12 the requestName, in this case the OID for STARTTLS, is an octet encoded string with a Context specific tag of 0 meaning that it should be encoded with tag 0x80.
After this change has been made STARTTLS functions correctly against LDAP services that support it.
I will be committing code momentarily that addresses both of the issues above. It has been tested against Windows Active Directory (with and without support for STARTTLS) and OpenLDAP (with STARTTLS support) servers.
The following commands were used and returned the expected results: