Add tls.servername script-arg for TLS SNI without DNS #540
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
As explained in http://seclists.org/nmap-dev/2016/q1/46, when the DNS cannot be used, or for testing purposes, it can be useful to force the TLS server name indicated by Nmap. This pull request should thus address #276.
Examples of how this is achieved:
The script-arg has precedence over
host.targetname
and there is no support for supplying multiple servernames to be attempted. It basically behaves the same asThe script argument is supported by all scripts already benefiting from Nmap's existing TLS SNI support. Those using the
tls.lua
library were easy to adapt because of the modularity of that library. By the way, I think this reduced the complexity ofssl-enum-ciphers.nse
. Those relying onsslcert.getCertificate
were adapted with just:The reason is that
sslcert.getCertificate
uses Nmap's nsock implementation of TLS with OpenSSL, which would have been trickier to modify.My main use case is building a script that scans the right IP address of a host even if the DNS of that host rotates, which is a common way of performing load-balancing. It is about to be used (merged into Nmap or not) by https://discovery.cryptosense.com.
I hope this is useful!