ssl_scan_sock sending old TLS headers?

danwent / Perspectives-Server

network notary implementation for the Perspectives project

http://perspectives-project.org

GNU General Public License v3.0

50 stars 13 forks source link

ssl_scan_sock sending old TLS headers? #34

Open daveschaefer opened 10 years ago

daveschaefer commented 10 years ago

If you do not scan with SNI, ssl_scan_sock gets a 'protocol version' error from some sites:

python ssl_scan_sock.py howsmyssl.com:443 Error scanning howsmyssl.com:443 - Fatal (2): Code 70 - Protocol Version: The protocol version sent is recognized but not supported.

Perhaps this is happening because we're sending an old client_hello message from an older TLS spec? This should be updated.

daveschaefer commented 10 years ago

Apparently the hex contstants in ssl_scan_sock.py may be raw captures from a Wireshark trace. We may be able to trace a client hello with a newer version of openssl, or perhaps we could decipher the constants and write them in a more maintainable way.

daveschaefer commented 10 years ago

While working on this a long while back I found a number of things that should be fixed. Created #45 to track it all.

netsafe commented 9 years ago

consider closing this issue, because SNI is implemented in OpenSSL long time ago, and I've also fixed it implementing a round-robin for OpenSSL scanner