about disable ssl cert check / accept low strength certificate encryption

c2xusnpq6 commented 3 years ago

tsl1.0 --tlsv1.0 or -1 ?

$ curl -h | sed -ne '/--tlsv/p'
 -1, --tlsv1 Use TLSv1.0 or greater
     --tlsv1.0 Use TLSv1.0
     --tlsv1.1 Use TLSv1.1
     --tlsv1.2 Use TLSv1.2
     --tlsv1.3 Use TLSv1.3

adfoster-r7 commented 1 year ago

Should be the same as the steps above but just with the -tls1_2 flag:

# Create certs:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes

# Create a tls1 only server with openssl:
openssl s_server -key key.pem -cert cert.pem -accept 44330 -www -tls1_2

Verifying:

$ curl -v https://127.0.0.1:44330 -k

...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
SSL-Session:
    Protocol  : TLSv1.2
...

Or with sslscan:

➜  ~ sslscan 192.168.123.1:44330
Version: 2.0.12-static
OpenSSL 1.1.1n-dev  xx XXX xxxx

Connected to 192.168.123.1

Testing SSL server 192.168.123.1 on port 44330 using SNI name 192.168.123.1

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   enabled    <---
TLSv1.3   disabled

shelld3v commented 1 year ago

@adfoster-r7 Can you check if the issue is still reproducible with dirsearch v0.4.3?

shelld3v commented 1 year ago

@adfoster-r7 I can't reproduce the issue now, can you check if the issue is still there in the latest version of dirsearch (v0.4.3)?

maurosoria / dirsearch

about disable ssl cert check / accept low strength certificate encryption #676