Hacky fix for nmap not working behind a proxy

matteocorti / check_ssl_cert

A shell script (that can be used as a Nagios/Icinga plugin) to check an SSL/TLS connection.

GNU General Public License v3.0

368 stars 132 forks source link

Hacky fix for nmap not working behind a proxy #402

Closed peternewman closed 2 years ago

peternewman commented 2 years ago

nmap doesn't work properly behind a proxy.

See e.g. https://subscription.packtpub.com/book/networking-and-servers/9781786467454/2/ch02lvl1sec37/scanning-through-proxies https://security.stackexchange.com/questions/120708/nmap-through-proxy

I wonder if we actually just need to skip these checks when the user has given a proxy?

There are also some other nmap based checks for SSL cypher types we'll need to check if they work still...

matteocorti commented 2 years ago

Dear Peter,

Thanks for the PR, but I would rather not use nmap at all if a proxy is specified.

The check you fixed is just there to spare some time: if the port is closed I don't check with OpenSSL since s_client will just wait for a timeout. Skipping it would do no harm.

I will also check all other nmap calls and disable them if a proxy is specified.

What do you think?

Matteo

matteocorti commented 2 years ago

I just committed a new version (67c9978) which disables nmap checks if a proxy is used: can you please test it and tell me if it solves the problem?