PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 04:31:29 +00:00
Code Issues Projects Releases Wiki Activity

Skip TLS/SSL retries when SSL_OP_NO_SSLv2 is a no-op

Browse Source 
OpenSSL option SSL_OP_NO_SSLv2 was retired with version 1.1.0
When the initial SSL handshake fails, nmap performs several additional retries
with option SSL_OP_NO_SSLv2 enabled. Since the option is ignored since OpenSSL
version 1.1.0 then the retries are largely pointless and sometimes even DoS-ing
targets.
Closes #1873, fixes #1488, closes #1489
This commit is contained in:
nnposter
2020-01-09 21:16:08 +00:00
parent 1e743aeaef
commit b1d39d00d4
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
nsock/src/nsock_core.c
View File

@@ -459,6 +459,7 @@ void handle_connect_result(struct npool *ms, struct nevent *nse, enum nse_status
nse->sslinfo.ssl_desire = sslerr;
socket_count_write_inc(iod);
update_events(iod, ms, nse, EV_WRITE, EV_NONE);
#if SSL_OP_NO_SSLv2 != 0
} else if (iod->lastproto != IPPROTO_UDP && !(options & SSL_OP_NO_SSLv2)) {
/* SSLv2 does not apply to DTLS, so ensure lastproto was not UDP. */
int saved_ev;
@@ -490,6 +491,7 @@ void handle_connect_result(struct npool *ms, struct nevent *nse, enum nse_status
socket_count_write_inc(nse->iod);
update_events(iod, ms, nse, EV_READ|EV_WRITE, EV_NONE);
nse->sslinfo.ssl_desire = SSL_ERROR_WANT_CONNECT;
#endif
} else {
nsock_log_info("EID %li %s",
nse->id, ERR_error_string(ERR_get_error(), NULL));