-
Notifications
You must be signed in to change notification settings - Fork 307
TLSFlags
justinbastress edited this page Feb 7, 2018
·
1 revision
zgrab2.TLSFlags
holds the flags needed to configure a TLS connection. Different scanners can have different settings.
-
--heartbleed
: Run a check on the server to see if it is vulnerable to the heartbleed attack -
--session-ticket
: Send support for TLS Session Tickets and output ticket if presented -
--extended-master-secret
: Offer RFC 7627 Extended Master Secret extension -
--extended-random
: Send TLS Extended Random Extension -
--no-sni
: Do not send domain name in TLS Handshake regardless of whether known -
--sct
: Request Signed Certificate Timestamps during TLS Handshake -
--keep-client-logs
: Include the client-side logs in the TLS handshake -
--time
: Explicit request time to use, instead of clock. YYYYMMDDhhmmss format. -
--certificates
: Set of certificates to present to the server -
--certificate-map
: A file mapping server names to certificates -
--root-cas
: Set of certificates to use when verifying server certificates -
--next-protos
: A list of supported application-level protocols -
--server-name
: Server name used for certificate verification and (optionally) SNI -
--verify-server-certificate
: If set, the scan will fail if the server certificate does not match the server-name, or does not chain to a trusted root. -
--cipher-suite
: A list of cipher suites to use -
--min-version
: The minimum SSL/TLS version that is acceptable. 0 means that SSLv3 is the minimum. -
--max-version
: The maximum SSL/TLS version that is acceptable. 0 means use the highest supported value. -
--curve-preferences
: A list of elliptic curves used in an ECDHE handshake, in order of preference. -
--no-ecdhe
: Do not allow ECDHE handshakes -
--signature-algorithms
: Signature and hash algorithms that are acceptable -
--heartbeat-enabled
: If set, include the heartbeat extension -
--dsa-enabled
: Accept server DSA keys -
--client-random
: Set an explicit Client Random (base64 encoded) -
--client-hello
: Set an explicit ClientHello (base64 encoded)
The TLSFlags
can be used to get a zgrab2.TLSConnection
, which will perform the handshake (and any other actions, such as heartbleed checks) with the configured options.
Example:
conn, err := scanTarget.Open(&flags.BaseFlags)
if flags.UseTLS {
tlsConnection, err := flags.TLSFlags.GetTLSConnection(conn)
err := tlsConnection.Handshake()
result.tls = tlsConnection.GetLog()
conn = tlsConnection
}
For consistency, the TLSConnection.GetLog()
should be stored in the root of the results object, under a JSON field named tls
.