-
Notifications
You must be signed in to change notification settings - Fork 302
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can we disable tls parsing in http module #378
Comments
Can you provide enough info to reproduce this? Is there a host/port with this behavior you can share? I would be much more interested in fixing it rather than masking it |
You can try the command, I think it is specifically because of tls certificate is not following the asn.1 standard. echo 34.107.18.135 | ./zgrab http -p 443 --use-https |
The fix for this would be to loosen the ASN1 parsing in https://github.com/zmap/zcrypto |
This is driven by zmap#378, zmap/zcrypto#364 and zmap#334 This allows a number of scans to actually succeed, rather than fail out when parsing the certificate Example without permissive parsing: ``` echo FAILING_IP | ./zgrab2 http -p 443 --use-https INFO[0000] started grab at 2023-09-21T21:25:29-05:00 {"ip":"FAILING_IP","data":{"http":{"status":"unknown-error","protocol":"http","result":{},"timestamp":"2023-09-21T21:25:29-05:00","error":"tls: failed to parse certificate from server: asn1: structure error: explicitly tagged member didn't match"}}} INFO[0001] finished grab at 2023-09-21T21:25:29-05:00 {"statuses":{"http":{"successes":0,"failures":1}},"start":"2023-09-21T21:25:29-05:00","end":"2023-09-21T21:25:29-05:00","duration":"987.606886ms"} ``` With Permissive parsing: ``` echo FAILING_IP | ./zgrab2 http -p 443 --use-https --permissive-parsing INFO[0000] started grab at 2023-09-21T21:25:34-05:00 {"ip":"FAILING_UP","data":{"http":{"status":"application-error","protocol":"http","result":{"response":{"status_line":"302 Found","status_code":302,"protocol":{"name":"HTTP/1.1","major":1,"minor":1},"headers":{"content_length":["0"], ... all the HTTP and TLS handshake log data ```
* Add permissive parsing TLS option This is driven by #378, zmap/zcrypto#364 and #334 This allows a number of scans to actually succeed, rather than fail out when parsing the certificate Example without permissive parsing: ``` echo FAILING_IP | ./zgrab2 http -p 443 --use-https INFO[0000] started grab at 2023-09-21T21:25:29-05:00 {"ip":"FAILING_IP","data":{"http":{"status":"unknown-error","protocol":"http","result":{},"timestamp":"2023-09-21T21:25:29-05:00","error":"tls: failed to parse certificate from server: asn1: structure error: explicitly tagged member didn't match"}}} INFO[0001] finished grab at 2023-09-21T21:25:29-05:00 {"statuses":{"http":{"successes":0,"failures":1}},"start":"2023-09-21T21:25:29-05:00","end":"2023-09-21T21:25:29-05:00","duration":"987.606886ms"} ``` With Permissive parsing: ``` echo FAILING_IP | ./zgrab2 http -p 443 --use-https --permissive-parsing INFO[0000] started grab at 2023-09-21T21:25:34-05:00 {"ip":"FAILING_UP","data":{"http":{"status":"application-error","protocol":"http","result":{"response":{"status_line":"302 Found","status_code":302,"protocol":{"name":"HTTP/1.1","major":1,"minor":1},"headers":{"content_length":["0"], ... all the HTTP and TLS handshake log data ``` * Make permissive parsing the default/no option
I believe this can now be resolved |
@rony0724 have you tried out the changes referenced in the issue? They should provide the behavior you were looking for |
something like --no-tls
./zgrab http -p 443 --use-https --no-tls
At some ips, tls certificate parsing is getting failed.
{"http":{"status":"unknown-error","protocol":"http","result":{},"timestamp":"2023-04-08T08:53:52Z","error":"tls: failed to parse certificate from server: asn1: syntax error: PrintableString contains invalid character"}
The text was updated successfully, but these errors were encountered: