Skip to content

Commit

Permalink
Add permissive parsing TLS option
Browse files Browse the repository at this point in the history
This is driven by  zmap#378, zmap/zcrypto#364 and
zmap#334

This allows a number of scans to actually succeed, rather than fail out
when parsing the certificate

Example without permissive parsing:

```
echo FAILING_IP | ./zgrab2 http -p 443 --use-https
INFO[0000] started grab at 2023-09-21T21:25:29-05:00
{"ip":"FAILING_IP","data":{"http":{"status":"unknown-error","protocol":"http","result":{},"timestamp":"2023-09-21T21:25:29-05:00","error":"tls: failed to parse certificate from server: asn1: structure error: explicitly tagged member didn't match"}}}
INFO[0001] finished grab at 2023-09-21T21:25:29-05:00
{"statuses":{"http":{"successes":0,"failures":1}},"start":"2023-09-21T21:25:29-05:00","end":"2023-09-21T21:25:29-05:00","duration":"987.606886ms"}
```

With Permissive parsing:

```
echo FAILING_IP | ./zgrab2 http -p 443 --use-https --permissive-parsing
INFO[0000] started grab at 2023-09-21T21:25:34-05:00
{"ip":"FAILING_UP","data":{"http":{"status":"application-error","protocol":"http","result":{"response":{"status_line":"302 Found","status_code":302,"protocol":{"name":"HTTP/1.1","major":1,"minor":1},"headers":{"content_length":["0"],
... all the HTTP and TLS handshake log data
```
  • Loading branch information
Seanstoppable committed Sep 22, 2023
1 parent 97ba87c commit c21c361
Showing 1 changed file with 9 additions and 1 deletion.
10 changes: 9 additions & 1 deletion tls.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,10 @@ import (
"time"

log "github.com/sirupsen/logrus"
"github.com/zmap/zcrypto/encoding/asn1"
"github.com/zmap/zcrypto/tls"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zcrypto/x509/pkix"
)

// Shared code for TLS scans.
Expand Down Expand Up @@ -65,7 +67,8 @@ type TLSFlags struct {
// TODO: format?
ClientRandom string `long:"client-random" description:"Set an explicit Client Random (base64 encoded)"`
// TODO: format?
ClientHello string `long:"client-hello" description:"Set an explicit ClientHello (base64 encoded)"`
ClientHello string `long:"client-hello" description:"Set an explicit ClientHello (base64 encoded)"`
PermissiveParsing bool `long:"permissive-parsing" description:"Allow permissive Certificate parsing"`
}

func getCSV(arg string) []string {
Expand Down Expand Up @@ -149,6 +152,11 @@ func (t *TLSFlags) GetTLSConfigForTarget(target *ScanTarget) (*tls.Config, error
log.Fatalf("Could not read certificates from PEM file. Invalid PEM?")
}
}

if t.PermissiveParsing {
asn1.AllowPermissiveParsing = true
pkix.LegacyNameString = true
}
if t.NextProtos != "" {
// TODO: Different format?
ret.NextProtos = getCSV(t.NextProtos)
Expand Down

0 comments on commit c21c361

Please sign in to comment.