Skip to content

RFC: Experimental support for servers which require a client certificate #181

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
MarcT512 wants to merge 6 commits into
base: master
Choose a base branch
from
Open

RFC: Experimental support for servers which require a client certificate #181

MarcT512 wants to merge 6 commits into from

Conversation

@MarcT512
Copy link
Contributor

@MarcT512 MarcT512 commented Jul 10, 2019

RFC: Experimental support for servers which require a client certificate (Fixes #119).
Fix: Typo s/response/respond in "Some servers will fail to response to SSLv3 ciphers over STARTTLS"
Fix: Logic error prevents show trusted CAs running with checkCertificate == true.

RFC patch to enable scanning of servers which require a client certificate.
How: Allow tests to continue in the event the SSL_connect() fails with certain "acceptable" errors . These are:

SSL alert 40 (Handshake failure)
SSL alert 46 (Certificate Unknown)
SSL alert 42 (Bad Certificate)

Testing is encouraged. Unfortunately I cannot provide any public test cases.

MarcT512 added 6 commits June 3, 2019 17:02
@MarcT512
Fix use after free of ssl object.
d4ed35b
@MarcT512
Merge pull request #1 from rbsec/master
58450e2 
Fix use after free of ssl object. (rbsec#178)
@MarcT512
RFC: Additional SSL error reporting in verbose mode.
d942279 
Add a function to convert SSL error codes to a string.
In addition, get the underlying error from OpenSSL and display it.

Before:
[...]
Accepted  TLSv1.0  128 bits  AES128-SHA
SSL_get_error(ssl, cipherStatus) said: 1

After:
[...]
Accepted  TLSv1.0  128 bits  AES128-SHA
SSL_get_error(ssl, cipherStatus) returned: 1 (SSL_ERROR_SSL)
[sslscan.c:testCipher@1584]:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
@MarcT512
Merge pull request #2 from MarcT512/SSL-errors
836677c 
RFC: Additional SSL error reporting in verbose mode.
@MarcT512
Merge pull request #3 from rbsec/master
c742ad6 
Pull in latest from master
@MarcT512
RFC: Experimental support for servers which require a client certificate
465ed4e 
RFC: Experimental support for servers which require a client certificate (Fixes rbsec#119).
Fix: Typo s/response/respond in "Some servers will fail to response to SSLv3 ciphers over STARTTLS"
Fix: Logic error prevents show trusted CAs running with checkCertificate == true.

RFC patch to enable scanning of servers which require a client certificate.
How: Allow tests to continue in the event the SSL_connect() fails with certain "acceptable" errors . These are:

SSL alert 40 (Handshake failure)
SSL alert 46 (Certificate Unknown)
SSL alert 42 (Bad Certificate)

Testing is encouraged. Unfortunately I cannot provide any public test cases.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Scan incomplete with server requiring client certificate

1 participant

@MarcT512