-
Notifications
You must be signed in to change notification settings - Fork 361
TLSFlags
justinbastress edited this page Feb 7, 2018
·
1 revision
zgrab2.TLSFlags holds the flags needed to configure a TLS connection. Different scanners can have different settings.
-
--heartbleed: Run a check on the server to see if it is vulnerable to the heartbleed attack -
--session-ticket: Send support for TLS Session Tickets and output ticket if presented -
--extended-master-secret: Offer RFC 7627 Extended Master Secret extension -
--extended-random: Send TLS Extended Random Extension -
--no-sni: Do not send domain name in TLS Handshake regardless of whether known -
--sct: Request Signed Certificate Timestamps during TLS Handshake -
--keep-client-logs: Include the client-side logs in the TLS handshake -
--time: Explicit request time to use, instead of clock. YYYYMMDDhhmmss format. -
--certificates: Set of certificates to present to the server -
--certificate-map: A file mapping server names to certificates -
--root-cas: Set of certificates to use when verifying server certificates -
--next-protos: A list of supported application-level protocols -
--server-name: Server name used for certificate verification and (optionally) SNI -
--verify-server-certificate: If set, the scan will fail if the server certificate does not match the server-name, or does not chain to a trusted root. -
--cipher-suite: A list of cipher suites to use -
--min-version: The minimum SSL/TLS version that is acceptable. 0 means that SSLv3 is the minimum. -
--max-version: The maximum SSL/TLS version that is acceptable. 0 means use the highest supported value. -
--curve-preferences: A list of elliptic curves used in an ECDHE handshake, in order of preference. -
--no-ecdhe: Do not allow ECDHE handshakes -
--signature-algorithms: Signature and hash algorithms that are acceptable -
--heartbeat-enabled: If set, include the heartbeat extension -
--dsa-enabled: Accept server DSA keys -
--client-random: Set an explicit Client Random (base64 encoded) -
--client-hello: Set an explicit ClientHello (base64 encoded)
The TLSFlags can be used to get a zgrab2.TLSConnection, which will perform the handshake (and any other actions, such as heartbleed checks) with the configured options.
Example:
conn, err := scanTarget.Open(&flags.BaseFlags)
if flags.UseTLS {
tlsConnection, err := flags.TLSFlags.GetTLSConnection(conn)
err := tlsConnection.Handshake()
result.tls = tlsConnection.GetLog()
conn = tlsConnection
}
For consistency, the TLSConnection.GetLog() should be stored in the root of the results object, under a JSON field named tls.