Let ssl-cert grab certs from DTLS services. Fix rules for TCP-only scripts

scripts/http-vuln-cve2014-2126.nse

@@ -38,7 +38,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = {"vuln", "safe"}
 
 portrule = function(host, port)
-  return shortport.ssl(host, port) or sslcert.isPortSupported(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.isPortSupported(port))
 end
 
 action = function(host, port)

scripts/http-vuln-cve2014-2127.nse

@@ -37,7 +37,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = {"vuln", "safe"}
 
 portrule = function(host, port)
-  return shortport.ssl(host, port) or sslcert.isPortSupported(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.isPortSupported(port))
 end
 
 action = function(host, port)

scripts/http-vuln-cve2014-2128.nse

@@ -37,7 +37,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = {"vuln", "safe"}
 
 portrule = function(host, port)
-  return shortport.ssl(host, port) or sslcert.isPortSupported(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.isPortSupported(port))
 end
 
 action = function(host, port)

scripts/http-vuln-cve2014-2129.nse

@@ -37,7 +37,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = {"vuln", "safe"}
 
 portrule = function(host, port)
-  return shortport.ssl(host, port) or sslcert.isPortSupported(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.isPortSupported(port))
 end
 
 action = function(host, port)

scripts/ssl-ccs-injection.nse

@@ -69,7 +69,7 @@ categories = { "vuln", "safe" }
 dependencies = {"https-redirect"}
 
 portrule = function(host, port)
- return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
 end
 
 local Error = {

scripts/ssl-date.nse

@@ -40,7 +40,7 @@ categories = {"discovery", "safe", "default"}
 dependencies = {"https-redirect"}
 
 portrule = function(host, port)
-  return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
 end
 
 -- Miscellaneous script-wide constants

scripts/ssl-dh-params.nse

@@ -788,7 +788,7 @@ end
 
 
 portrule = function(host, port)
-  return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
 end
 
 local function format_check(t, label)

scripts/ssl-enum-ciphers.nse

@@ -1095,7 +1095,7 @@ local function try_protocol(host, port, protocol, upresults)
 end
 
 portrule = function (host, port)
-  return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
 end
 
 action = function(host, port)

scripts/ssl-heartbleed.nse

@@ -47,7 +47,7 @@ dependencies = {"https-redirect"}
 local arg_protocols = stdnse.get_script_args(SCRIPT_NAME .. ".protocols") or {'TLSv1.0', 'TLSv1.1', 'TLSv1.2'}
 
 portrule = function(host, port)
-  return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
 end
 
 local function recvhdr(s)

scripts/ssl-known-key.nse

@@ -103,7 +103,9 @@ local get_fingerprints = function(path)
   return true, fingerprints
 end
 
-portrule = shortport.ssl
+portrule = function(host, port)
+  return shortport.ssl(host, port) or sslcert.isPortSupported(port) or sslcert.getPrepareTLSWithoutReconnect(port)
+end
 
 action = function(host, port)
   -- Get script arguments.

scripts/ssl-poodle.nse

@@ -308,7 +308,7 @@ local function check_fallback_scsv(host, port, protocol, ciphers)
 end
 
 portrule = function (host, port)
-  return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
 end
 
 action = function(host, port)

scripts/sslv2-drown.nse

@@ -95,7 +95,7 @@ for k, v in pairs(sslv2.SSL_CIPHERS) do
 end
 
 portrule = function(host, port)
-  return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
 end
 
 -- Return whether all values of "t1" are also values in "t2".

scripts/sslv2.nse

@@ -40,7 +40,7 @@ categories = {"default", "safe"}
 
 
 portrule = function(host, port)
-  return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
 end
 
 action = function(host, port)

scripts/tls-alpn.nse

@@ -40,7 +40,7 @@ categories = {"discovery", "safe", "default"}
 dependencies = {"https-redirect"}
 
 portrule = function(host, port)
-  return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
 end
 
 

scripts/tls-nextprotoneg.nse

@@ -43,7 +43,7 @@ categories = {"discovery", "safe", "default"}
 dependencies = {"https-redirect"}
 
 portrule = function(host, port)
-  return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
 end
 
 

scripts/tls-ticketbleed.nse

@@ -68,7 +68,7 @@ portrule = function(host, port)
     return false
   end
 
-  return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
 end
 
 local function is_vuln(host, port, version)