diff --git a/nselib/sslcert.lua b/nselib/sslcert.lua index a8f84c19f..bc876550f 100644 --- a/nselib/sslcert.lua +++ b/nselib/sslcert.lua @@ -1004,18 +1004,26 @@ function getCertificate(host, port) local mutex = nmap.mutex("sslcert-cache-mutex") mutex "lock" - if ( host.registry["ssl-cert"] and - host.registry["ssl-cert"][port.number] ) then + local cache = host.registry["ssl-cert"] + if not cache then + cache = {} + host.registry["ssl-cert"] = cache + end + local key = ("%d%s"):format(port.number, port.protocol) + local cert = cache[key] + + if cert then stdnse.debug2("sslcert: Returning cached SSL certificate") mutex "done" - return true, host.registry["ssl-cert"][port.number] + return true, cert end - local cert - - local wrapper = SPECIALIZED_WRAPPED_TLS_WITHOUT_RECONNECT[port.service] or SPECIALIZED_WRAPPED_TLS_WITHOUT_RECONNECT[port.number] - local special_table = have_openssl and SPECIALIZED_PREPARE_TLS or SPECIALIZED_PREPARE_TLS_WITHOUT_RECONNECT - local specialized = special_table[port.service] or special_table[port.number] + local wrapper, specialized + if (port.protocol == "tcp") then + wrapper = SPECIALIZED_WRAPPED_TLS_WITHOUT_RECONNECT[port.service] or SPECIALIZED_WRAPPED_TLS_WITHOUT_RECONNECT[port.number] + local special_table = have_openssl and SPECIALIZED_PREPARE_TLS or SPECIALIZED_PREPARE_TLS_WITHOUT_RECONNECT + specialized = special_table[port.service] or special_table[port.number] + end local status = false @@ -1051,10 +1059,8 @@ function getCertificate(host, port) -- Now try to connect with Nsock's SSL connection if not status and have_openssl then - local socket = nmap.new_socket() - local errmsg - status, errmsg = socket:connect(host, port, "ssl") - if not status then + local socket, errmsg = comm.opencon(host, port, nil, {proto="ssl"}) + if not socket then stdnse.debug1("SSL connect error: %s", errmsg) else cert = socket:get_ssl_certificate() @@ -1065,7 +1071,8 @@ function getCertificate(host, port) -- Finally, try to connect and manually handshake (maybe more tolerant of TLS -- insecurity than OpenSSL) - if not status then + -- TODO: DTLS handshaking + if not status and port.protocol == "tcp" then local socket = nmap.new_socket() local errmsg status, errmsg = socket:connect(host, port) @@ -1082,9 +1089,7 @@ function getCertificate(host, port) return false, "No certificate found" end - host.registry["ssl-cert"] = host.registry["ssl-cert"] or {} - host.registry["ssl-cert"][port.number] = host.registry["ssl-cert"][port.number] or {} - host.registry["ssl-cert"][port.number] = cert + cache[key] = cert mutex "done" return true, cert end diff --git a/scripts/http-vuln-cve2014-2126.nse b/scripts/http-vuln-cve2014-2126.nse index c4a525921..d51247edf 100644 --- a/scripts/http-vuln-cve2014-2126.nse +++ b/scripts/http-vuln-cve2014-2126.nse @@ -38,7 +38,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html" categories = {"vuln", "safe"} portrule = function(host, port) - return shortport.ssl(host, port) or sslcert.isPortSupported(port) + return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.isPortSupported(port)) end action = function(host, port) diff --git a/scripts/http-vuln-cve2014-2127.nse b/scripts/http-vuln-cve2014-2127.nse index 1754d6e41..92d89c275 100644 --- a/scripts/http-vuln-cve2014-2127.nse +++ b/scripts/http-vuln-cve2014-2127.nse @@ -37,7 +37,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html" categories = {"vuln", "safe"} portrule = function(host, port) - return shortport.ssl(host, port) or sslcert.isPortSupported(port) + return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.isPortSupported(port)) end action = function(host, port) diff --git a/scripts/http-vuln-cve2014-2128.nse b/scripts/http-vuln-cve2014-2128.nse index ee7811e75..05b3e51b6 100644 --- a/scripts/http-vuln-cve2014-2128.nse +++ b/scripts/http-vuln-cve2014-2128.nse @@ -37,7 +37,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html" categories = {"vuln", "safe"} portrule = function(host, port) - return shortport.ssl(host, port) or sslcert.isPortSupported(port) + return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.isPortSupported(port)) end action = function(host, port) diff --git a/scripts/http-vuln-cve2014-2129.nse b/scripts/http-vuln-cve2014-2129.nse index 1246c81cf..be3c7b3f0 100644 --- a/scripts/http-vuln-cve2014-2129.nse +++ b/scripts/http-vuln-cve2014-2129.nse @@ -37,7 +37,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html" categories = {"vuln", "safe"} portrule = function(host, port) - return shortport.ssl(host, port) or sslcert.isPortSupported(port) + return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.isPortSupported(port)) end action = function(host, port) diff --git a/scripts/ssl-ccs-injection.nse b/scripts/ssl-ccs-injection.nse index fd34bb151..3d2bf4023 100644 --- a/scripts/ssl-ccs-injection.nse +++ b/scripts/ssl-ccs-injection.nse @@ -69,7 +69,7 @@ categories = { "vuln", "safe" } dependencies = {"https-redirect"} portrule = function(host, port) - return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) + return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)) end local Error = { diff --git a/scripts/ssl-date.nse b/scripts/ssl-date.nse index 666630514..e0ef5d547 100644 --- a/scripts/ssl-date.nse +++ b/scripts/ssl-date.nse @@ -40,7 +40,7 @@ categories = {"discovery", "safe", "default"} dependencies = {"https-redirect"} portrule = function(host, port) - return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) + return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)) end -- Miscellaneous script-wide constants diff --git a/scripts/ssl-dh-params.nse b/scripts/ssl-dh-params.nse index bf2bde57e..dcdf8d590 100644 --- a/scripts/ssl-dh-params.nse +++ b/scripts/ssl-dh-params.nse @@ -788,7 +788,7 @@ end portrule = function(host, port) - return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) + return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)) end local function format_check(t, label) diff --git a/scripts/ssl-enum-ciphers.nse b/scripts/ssl-enum-ciphers.nse index 881b6bdcb..bb13c96b5 100644 --- a/scripts/ssl-enum-ciphers.nse +++ b/scripts/ssl-enum-ciphers.nse @@ -1095,7 +1095,7 @@ local function try_protocol(host, port, protocol, upresults) end portrule = function (host, port) - return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) + return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)) end action = function(host, port) diff --git a/scripts/ssl-heartbleed.nse b/scripts/ssl-heartbleed.nse index e2d79e7b9..f4823506c 100644 --- a/scripts/ssl-heartbleed.nse +++ b/scripts/ssl-heartbleed.nse @@ -47,7 +47,7 @@ dependencies = {"https-redirect"} local arg_protocols = stdnse.get_script_args(SCRIPT_NAME .. ".protocols") or {'TLSv1.0', 'TLSv1.1', 'TLSv1.2'} portrule = function(host, port) - return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) + return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)) end local function recvhdr(s) diff --git a/scripts/ssl-known-key.nse b/scripts/ssl-known-key.nse index bbea63593..9cff2d6cc 100644 --- a/scripts/ssl-known-key.nse +++ b/scripts/ssl-known-key.nse @@ -103,7 +103,9 @@ local get_fingerprints = function(path) return true, fingerprints end -portrule = shortport.ssl +portrule = function(host, port) + return shortport.ssl(host, port) or sslcert.isPortSupported(port) or sslcert.getPrepareTLSWithoutReconnect(port) +end action = function(host, port) -- Get script arguments. diff --git a/scripts/ssl-poodle.nse b/scripts/ssl-poodle.nse index f9d1b9d0c..f40e48187 100644 --- a/scripts/ssl-poodle.nse +++ b/scripts/ssl-poodle.nse @@ -308,7 +308,7 @@ local function check_fallback_scsv(host, port, protocol, ciphers) end portrule = function (host, port) - return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) + return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)) end action = function(host, port) diff --git a/scripts/sslv2-drown.nse b/scripts/sslv2-drown.nse index b0d69898a..00a0c5892 100644 --- a/scripts/sslv2-drown.nse +++ b/scripts/sslv2-drown.nse @@ -95,7 +95,7 @@ for k, v in pairs(sslv2.SSL_CIPHERS) do end portrule = function(host, port) - return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) + return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)) end -- Return whether all values of "t1" are also values in "t2". diff --git a/scripts/sslv2.nse b/scripts/sslv2.nse index 0b7e0a4d0..3e88803ec 100644 --- a/scripts/sslv2.nse +++ b/scripts/sslv2.nse @@ -40,7 +40,7 @@ categories = {"default", "safe"} portrule = function(host, port) - return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) + return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)) end action = function(host, port) diff --git a/scripts/tls-alpn.nse b/scripts/tls-alpn.nse index 92dfb8f41..4dabadf7e 100644 --- a/scripts/tls-alpn.nse +++ b/scripts/tls-alpn.nse @@ -40,7 +40,7 @@ categories = {"discovery", "safe", "default"} dependencies = {"https-redirect"} portrule = function(host, port) - return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) + return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)) end diff --git a/scripts/tls-nextprotoneg.nse b/scripts/tls-nextprotoneg.nse index 33736a7f7..4ab0753f0 100644 --- a/scripts/tls-nextprotoneg.nse +++ b/scripts/tls-nextprotoneg.nse @@ -43,7 +43,7 @@ categories = {"discovery", "safe", "default"} dependencies = {"https-redirect"} portrule = function(host, port) - return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) + return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)) end diff --git a/scripts/tls-ticketbleed.nse b/scripts/tls-ticketbleed.nse index 7bbc605eb..859aee597 100644 --- a/scripts/tls-ticketbleed.nse +++ b/scripts/tls-ticketbleed.nse @@ -68,7 +68,7 @@ portrule = function(host, port) return false end - return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) + return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)) end local function is_vuln(host, port, version)