New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS 1.2 support for http #5870
Comments
sslv23 should be what should probably be tried by default (since that is how to enable auto negotiation) - I think the exception is causing the iteration to fail, even though it's in the defaults list. |
@bcook-r7 sslv23 doesn't negotiate up to TLS (or at least, didn't, the last time I tried). Neither the SSLTcp socket nor the HTTP client code will automatically retry with a different version right now. We would need to add an exception catch/retry in the HTTP client or mixin. Adding it to the Rex layer would break things that enable SSL/TLS on established sockets (Meterpreter). |
Is that a Rex issue? Plain OpenSSL with Ruby using sslv23 advertises TLS1.2 in the HELLO here: require 'openssl'
require 'socket'
tcp_client = TCPSocket.new 'google.com', 443
ssl_context = OpenSSL::SSL::SSLContext.new
ssl_context.set_params({ :ssl_version=>"SSLv23", :verify_mode=>1, :ciphers=>"ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW", :options=>-2147480585})
ssl_client = OpenSSL::SSL::SSLSocket.new tcp_client, ssl_context
ssl_client.connect There is a new TLS_ option that also supports SSLv3 that's the new alias for this method (and it removes SSLv2 support automatically of course). |
Oh, thats an easy fix then, change "Auto" to use sslv23 instead of tls1 |
We came across a site that requires TLS1.2 and owa_login bombed out. SSLVersion does not include TLS1_1 or TLS1_2. Once these are added, it works fine.
Error:
[-] Auxiliary failed: Errno::ECONNRESET Connection reset by peer - SSL_connect
[-] Call stack:
[-] /opt/local/metasploit-framework/lib/rex/socket/ssl_tcp.rb:147:in
connect' [-] /opt/local/metasploit-framework/lib/rex/socket/ssl_tcp.rb:147:in
block in initsock_with_ssl_version'[-] /home/newt/tools/ruby/lib/ruby/2.2.0/timeout.rb:89:in
block in timeout' [-] /home/newt/tools/ruby/lib/ruby/2.2.0/timeout.rb:34:in
block in catch'[-] /home/newt/tools/ruby/lib/ruby/2.2.0/timeout.rb:34:in
catch' [-] /home/newt/tools/ruby/lib/ruby/2.2.0/timeout.rb:34:in
catch'[-] /home/newt/tools/ruby/lib/ruby/2.2.0/timeout.rb:104:in
timeout' [-] /opt/local/metasploit-framework/lib/rex/socket/ssl_tcp.rb:145:in
initsock_with_ssl_version'[-] /opt/local/metasploit-framework/lib/rex/socket/ssl_tcp.rb:93:in
block in initsock' [-] /opt/local/metasploit-framework/lib/rex/socket/ssl_tcp.rb:89:in
each'[-] /opt/local/metasploit-framework/lib/rex/socket/ssl_tcp.rb:89:in
initsock' [-] /opt/local/metasploit-framework/lib/rex/socket/comm/local.rb:339:in
create_by_type'[-] /opt/local/metasploit-framework/lib/rex/socket/comm/local.rb:33:in
create' [-] /opt/local/metasploit-framework/lib/rex/socket.rb:47:in
create_param'[-] /opt/local/metasploit-framework/lib/rex/socket/tcp.rb:37:in
create_param' [-] /opt/local/metasploit-framework/lib/rex/socket/tcp.rb:28:in
create'[-] /opt/local/metasploit-framework/lib/rex/proto/http/client.rb:182:in
connect' [-] /opt/local/metasploit-framework/lib/rex/proto/http/client.rb:248:in
send_request'[-] /opt/local/metasploit-framework/lib/rex/proto/http/client.rb:234:in
_send_recv' [-] /opt/local/metasploit-framework/lib/rex/proto/http/client.rb:215:in
send_recv'[-] /opt/local/metasploit-framework/lib/msf/core/exploit/http/client.rb:332:in
send_request_cgi' [-] /opt/local/metasploit-framework/modules/auxiliary/scanner/http/owa_login.rb:298:in
block in get_ad_domain'[-] /opt/local/metasploit-framework/modules/auxiliary/scanner/http/owa_login.rb:296:in
each' [-] /opt/local/metasploit-framework/modules/auxiliary/scanner/http/owa_login.rb:296:in
get_ad_domain'[-] /opt/local/metasploit-framework/modules/auxiliary/scanner/http/owa_login.rb:124:in `run'
FIles:
lib/msf/core/exploit/http/client.rb
lib/rex/socket/ssl_tcp.rb
The text was updated successfully, but these errors were encountered: