As explained in http://seclists.org/nmap-dev/2016/q1/46, when the DNS cannot be used, or for testing purposes, it can be useful to force the TLS server name indicated by Nmap. This pull request should thus address #276.
Examples of how this is achieved:
nmap --script ssl-cert --script-args=tls.servername=example.net 192.0.2.1
nmap --script ssl-cert --script-args=tls.servername=example.net example.org
nmap --script ssl-enum-ciphers --script-args=tls.servername=example.net example.org
The script-arg has precedence over host.targetname and there is no support for supplying multiple servernames to be attempted. It basically behaves the same as
openssl s_client -servername <tls.servername> -connect example.net:<port> <host.targetname>
The script argument is supported by all scripts already benefiting from Nmap's existing TLS SNI support. Those using the tls.lua library were easy to adapt because of the modularity of that library. By the way, I think this reduced the complexity of ssl-enum-ciphers.nse. Those relying on sslcert.getCertificate were adapted with just:
host.targetname = tls.servername(host)
The reason is that sslcert.getCertificate uses Nmap's nsock implementation of TLS with OpenSSL, which would have been trickier to modify.
My main use case is building a script that scans the right IP address of a host even if the DNS of that host rotates, which is a common way of performing load-balancing. It is about to be used (merged into Nmap or not) by https://discovery.cryptosense.com.
I hope this is useful!
Add support for tls.servername script argument
Use tls.servername arg in tls.lua-based scripts
Use tls.servername before sslcert.getCertificate
Add tls.servername script-arg. Closes #540