Skip to content

TLSFlags

Jump to bottom
justinbastress edited this page Feb 7, 2018 · 1 revision

zgrab2.TLSFlags holds the flags needed to configure a TLS connection. Different scanners can have different settings.

Flags

  • --heartbleed: Run a check on the server to see if it is vulnerable to the heartbleed attack
  • --session-ticket: Send support for TLS Session Tickets and output ticket if presented
  • --extended-master-secret: Offer RFC 7627 Extended Master Secret extension
  • --extended-random: Send TLS Extended Random Extension
  • --no-sni: Do not send domain name in TLS Handshake regardless of whether known
  • --sct: Request Signed Certificate Timestamps during TLS Handshake
  • --keep-client-logs: Include the client-side logs in the TLS handshake
  • --time: Explicit request time to use, instead of clock. YYYYMMDDhhmmss format.
  • --certificates: Set of certificates to present to the server
  • --certificate-map: A file mapping server names to certificates
  • --root-cas: Set of certificates to use when verifying server certificates
  • --next-protos: A list of supported application-level protocols
  • --server-name: Server name used for certificate verification and (optionally) SNI
  • --verify-server-certificate: If set, the scan will fail if the server certificate does not match the server-name, or does not chain to a trusted root.
  • --cipher-suite: A list of cipher suites to use
  • --min-version: The minimum SSL/TLS version that is acceptable. 0 means that SSLv3 is the minimum.
  • --max-version: The maximum SSL/TLS version that is acceptable. 0 means use the highest supported value.
  • --curve-preferences: A list of elliptic curves used in an ECDHE handshake, in order of preference.
  • --no-ecdhe: Do not allow ECDHE handshakes
  • --signature-algorithms: Signature and hash algorithms that are acceptable
  • --heartbeat-enabled: If set, include the heartbeat extension
  • --dsa-enabled: Accept server DSA keys
  • --client-random: Set an explicit Client Random (base64 encoded)
  • --client-hello: Set an explicit ClientHello (base64 encoded)

Using

The TLSFlags can be used to get a zgrab2.TLSConnection, which will perform the handshake (and any other actions, such as heartbleed checks) with the configured options.

Example:

conn, err := scanTarget.Open(&flags.BaseFlags)
if flags.UseTLS {
  tlsConnection, err := flags.TLSFlags.GetTLSConnection(conn)
  err := tlsConnection.Handshake()
  result.tls = tlsConnection.GetLog()
  conn = tlsConnection
}

For consistency, the TLSConnection.GetLog() should be stored in the root of the results object, under a JSON field named tls.

Clone this wiki locally