Don't consider protocol mismatch for alerts other than protocol_version to be a protocol rejection. http://serverfault.com/q/832207/112426

2025-12-20 06:29:02 +00:00 · 2017-02-24 15:47:48 +00:00
parent 3ac81b4804
commit 6f8ec39063
1 changed files with 5 additions and 2 deletions
--- a/scripts/ssl-enum-ciphers.nse
+++ b/scripts/ssl-enum-ciphers.nse
@@ -605,8 +605,11 @@ local function find_ciphers_group(host, port, protocol, group, scores)
      if alert then
        ctx_log(2, protocol, "Got alert: %s", alert.body[1].description)
        if alert["protocol"] ~= protocol then
-          ctx_log(1, protocol, "Protocol rejected.")
-          protocol_worked = nil
+          ctx_log(1, protocol, "Protocol mismatch (received %s)", alert.protocol)
+          -- Sometimes this is not an actual rejection of the protocol. Check specifically:
+          if get_body(alert, "description", "protocol_version") then
+            protocol_worked = nil
+          end
          break
        elseif get_body(alert, "description", "handshake_failure") then
          protocol_worked = true