From 6f8ec39063a6499aa62f8eae70fbf9f8073a5637 Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Fri, 24 Feb 2017 15:47:48 +0000
Subject: [PATCH] Don't consider protocol mismatch for alerts other than
 protocol_version to be a protocol rejection.
 http://serverfault.com/q/832207/112426

---
 scripts/ssl-enum-ciphers.nse | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/scripts/ssl-enum-ciphers.nse b/scripts/ssl-enum-ciphers.nse
index 8727c2963..a657fcdd1 100644
--- a/scripts/ssl-enum-ciphers.nse
+++ b/scripts/ssl-enum-ciphers.nse
@@ -605,8 +605,11 @@ local function find_ciphers_group(host, port, protocol, group, scores)
       if alert then
         ctx_log(2, protocol, "Got alert: %s", alert.body[1].description)
         if alert["protocol"] ~= protocol then
-          ctx_log(1, protocol, "Protocol rejected.")
-          protocol_worked = nil
+          ctx_log(1, protocol, "Protocol mismatch (received %s)", alert.protocol)
+          -- Sometimes this is not an actual rejection of the protocol. Check specifically:
+          if get_body(alert, "description", "protocol_version") then
+            protocol_worked = nil
+          end
           break
         elseif get_body(alert, "description", "handshake_failure") then
           protocol_worked = true