-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hydra fails to create an SSL session when server requires Server Name Indication (SNI) #129
Comments
sounds very likely. I will try to produce a patch. |
I pushed a patch, please test |
Thanks for the quick patch. Unfortunately, after recompiling 4c25bdd and testing again, I get a similar (but somewhat different) error:
Packet capture is almost identical, except TLS ClientHello packet now contains SNI with
I believe this is because your patch hardcodes Perhaps modifying the patch so that when hydra's target is a domain name, this value is passed to the SNI field would be more successful? That is, with a command line like this:
then I would expect the TLS SNI field value to be |
damnit. I was hopeing I could use the easy way. this will require a larger code change. sigh. but I have the time today and tomorrow ... |
OK, just checked in a LARGE patch. because to have this functionality I had to change nearly every single .c file in hydra. please try again. |
Thank you, this patch does fix the connection issue. The TLS SNI field value is correct and Hydra is able to connect. I consider this issue fixed. I'm having another problem with the HTTP modules but I'll create a new issue for that, since I think it's distinct from this TLS problem. Again, thank you for the quick patch! |
how do you install the patch, I get the "Could not create an SSL session" error |
The relevant line of output is the following:
This is the exact error I get when I use
openssl s_client -connect myserver:443
However, I know that my server requires TLS Server Name Indication for a successful connection, so
openssl s_client -connect myserver:443 -servername myserver
fixes the issue and allowss_client
to connect.I then performed a Wireshark packet capture and confirmed that Hydra does not use the SNI extension when using the
https-post-form
service module. This would explain the failure to connect and the OpenSSL error raised. The packet capture file is attached as hydra-issue-129.pcapng.gz, and is annotated. (Use the display filterpkt_comment
to see the packets of interest.)I tested this with Hydra 8.1 and OpenSSL 1.0.1k (on Linux).
It's possible this is also related to #114. Please let me know if you need any more information from me. I'm not confident with my C programming, so I apologize for the lack of a patch.
The text was updated successfully, but these errors were encountered: