From 93ac4278e63ce579db4049c6ef7e22482fba59cf Mon Sep 17 00:00:00 2001 From: mzack Date: Thu, 4 Aug 2022 11:47:26 +0200 Subject: [PATCH 1/6] Adding initial support for tls version enum --- cmd/tlsx/main.go | 5 +++-- pkg/output/output.go | 6 ++++++ pkg/tlsx/auto/auto.go | 5 +++++ pkg/tlsx/clients/clients.go | 16 +++++++++----- pkg/tlsx/tls/tls.go | 17 +++++++++++++++ pkg/tlsx/tlsx.go | 24 +++++++++++++++++++++ pkg/tlsx/ztls/ztls.go | 43 ++++++++++++++++++++++++++----------- 7 files changed, 96 insertions(+), 20 deletions(-) diff --git a/cmd/tlsx/main.go b/cmd/tlsx/main.go index 3a9f1b3c..db74d075 100644 --- a/cmd/tlsx/main.go +++ b/cmd/tlsx/main.go @@ -44,7 +44,7 @@ func readFlags() error { flagSet.SetDescription(`TLSX is a tls data gathering and analysis toolkit.`) flagSet.CreateGroup("input", "Input", - flagSet.StringSliceVarP(&options.Inputs, "host", "u", []string{}, "target host to scan (-u INPUT1,INPUT2)", goflags.CommaSeparatedStringSliceOptions), + flagSet.StringSliceVarP(&options.Inputs, "host", "u", nil, "target host to scan (-u INPUT1,INPUT2)", goflags.CommaSeparatedStringSliceOptions), flagSet.StringVarP(&options.InputList, "list", "l", "", "target list to scan (-l INPUT_FILE)"), flagSet.StringSliceVarP(&options.Ports, "port", "p", nil, "target port to connect (default 443)", goflags.FileCommaSeparatedStringSliceOptions), ) @@ -53,7 +53,7 @@ func readFlags() error { flagSet.StringVarP(&options.ScanMode, "scan-mode", "sm", "", "tls connection mode to use (ctls, ztls, auto) (default ctls)"), flagSet.BoolVarP(&options.CertsOnly, "pre-handshake", "ps", false, "enable pre-handshake tls connection (early termination) using ztls"), flagSet.BoolVarP(&options.ScanAllIPs, "scan-all-ips", "sa", false, "scan all ips for a host (default false)"), - flagSet.StringSliceVarP(&options.IPVersion, "ip-version", "iv", []string{}, "ip version to use (4, 6) (default 4)", goflags.NormalizedStringSliceOptions), + flagSet.StringSliceVarP(&options.IPVersion, "ip-version", "iv", nil, "ip version to use (4, 6) (default 4)", goflags.NormalizedStringSliceOptions), ) flagSet.CreateGroup("probes", "Probes", @@ -67,6 +67,7 @@ func readFlags() error { flagSet.BoolVar(&options.Ja3, "ja3", false, "display ja3 fingerprint hash (using ztls)"), flagSet.BoolVarP(&options.WildcardCertCheck, "wildcard-cert", "wc", false, "display host with wildcard ssl certificate"), flagSet.BoolVarP(&options.ProbeStatus, "probe-status", "tps", false, "display tls probe status"), + flagSet.BoolVarP(&options.TlsVersionsEnum, "version-enum", "ve", false, "enumerate and display supported tls versions"), ) flagSet.CreateGroup("misconfigurations", "Misconfigurations", diff --git a/pkg/output/output.go b/pkg/output/output.go index 90c202b6..c1357af2 100644 --- a/pkg/output/output.go +++ b/pkg/output/output.go @@ -221,6 +221,12 @@ func (w *StandardWriter) formatStandard(output *clients.Response) ([]byte, error builder.WriteString("]") } + if w.options.TlsVersionsEnum { + builder.WriteString(" [") + builder.WriteString(w.aurora.Magenta(strings.Join(output.VersionEnum, ",")).String()) + builder.WriteString("]") + } + outputdata := builder.Bytes() return outputdata, nil } diff --git a/pkg/tlsx/auto/auto.go b/pkg/tlsx/auto/auto.go index f869c69a..547fc524 100644 --- a/pkg/tlsx/auto/auto.go +++ b/pkg/tlsx/auto/auto.go @@ -49,6 +49,11 @@ func (c *Client) ConnectWithOptions(hostname, ip, port string, options clients.C return response, nil } +// SupportedTLSVersions is meaningless here but necessary due to the interface system implemented +func (c *Client) SupportedTLSVersions() ([]string, error) { + return nil, errors.New("not implemented in auto mode") +} + // isResponseInvalid handles invalid response func (c *Client) isResponseInvalid(resp *clients.Response) bool { if resp == nil { diff --git a/pkg/tlsx/clients/clients.go b/pkg/tlsx/clients/clients.go index 3af11094..e2e72bdb 100644 --- a/pkg/tlsx/clients/clients.go +++ b/pkg/tlsx/clients/clients.go @@ -20,6 +20,8 @@ import ( type Implementation interface { // Connect connects to a host and grabs the response data ConnectWithOptions(hostname, ip, port string, options ConnectOptions) (*Response, error) + // SupportedTLSVersions returns the list of supported tls versions + SupportedTLSVersions() ([]string, error) } // Options contains configuration options for tlsx client @@ -107,6 +109,8 @@ type Options struct { IPVersion goflags.StringSlice // WildcardCertCheck enables wildcard certificate check WildcardCertCheck bool + // TlsVersionsEnum enumerates supported tls versions + TlsVersionsEnum bool // Fastdialer is a fastdialer dialer instance Fastdialer *fastdialer.Dialer @@ -137,10 +141,11 @@ type Response struct { // when ran using scan-mode auto. TLSConnection string `json:"tls_connection,omitempty"` // Chain is the chain of certificates - Chain []*CertificateResponse `json:"chain,omitempty"` - JarmHash string `json:"jarm_hash,omitempty"` - Ja3Hash string `json:"ja3_hash,omitempty"` - ServerName string `json:"sni,omitempty"` + Chain []*CertificateResponse `json:"chain,omitempty"` + JarmHash string `json:"jarm_hash,omitempty"` + Ja3Hash string `json:"ja3_hash,omitempty"` + ServerName string `json:"sni,omitempty"` + VersionEnum []string `json:"version-enum,omitempty"` } // CertificateResponse is the response for a certificate @@ -287,5 +292,6 @@ func PemEncode(cert []byte) string { } type ConnectOptions struct { - SNI string + SNI string + VersionTLS string } diff --git a/pkg/tlsx/tls/tls.go b/pkg/tlsx/tls/tls.go index 2c86a5d5..fa5ff218 100644 --- a/pkg/tlsx/tls/tls.go +++ b/pkg/tlsx/tls/tls.go @@ -29,6 +29,9 @@ type Client struct { options *clients.Options } +// supportedTlsVersions contains the list of supported TLS versions (avoids allocations) +var supportedTlsVersions = []string{"tls10", "tls11", "tls12", "tls13"} + // versionStringToTLSVersion converts tls version string to version var versionStringToTLSVersion = map[string]uint16{ "tls10": tls.VersionTLS10, @@ -139,6 +142,15 @@ func (c *Client) ConnectWithOptions(hostname, ip, port string, options clients.C config = c } + if options.VersionTLS != "" { + version, ok := versionStringToTLSVersion[options.VersionTLS] + if !ok { + return nil, fmt.Errorf("invalid tls version specified: %s", options.VersionTLS) + } + config.MinVersion = version + config.MaxVersion = version + } + conn := tls.Client(rawConn, config) if err := conn.HandshakeContext(ctx); err != nil { rawConn.Close() @@ -228,3 +240,8 @@ func parseASN1DNSequenceWithZpkix(data []byte) string { dnParsedString := subject.String() return dnParsedString } + +// SupportedTLSVersions returns the list of standard tls library supported tls versions +func (c *Client) SupportedTLSVersions() ([]string, error) { + return supportedTlsVersions, nil +} diff --git a/pkg/tlsx/tlsx.go b/pkg/tlsx/tlsx.go index 3b105358..a6db280e 100644 --- a/pkg/tlsx/tlsx.go +++ b/pkg/tlsx/tlsx.go @@ -5,6 +5,7 @@ import ( "time" "github.com/pkg/errors" + "github.com/projectdiscovery/sliceutil" "github.com/projectdiscovery/tlsx/pkg/tlsx/auto" "github.com/projectdiscovery/tlsx/pkg/tlsx/clients" "github.com/projectdiscovery/tlsx/pkg/tlsx/jarm" @@ -77,5 +78,28 @@ func (s *Service) ConnectWithOptions(host, ip, port string, options clients.Conn } resp.JarmHash = jarmhash } + + supportedTlsVersions := []string{resp.Version} + if s.options.TlsVersionsEnum { + enumeratedTlsVersions, _ := s.enumTlsVersions(host, ip, port, options) + supportedTlsVersions = append(supportedTlsVersions, enumeratedTlsVersions...) + } + resp.VersionEnum = sliceutil.Dedupe(supportedTlsVersions) + return resp, nil } + +func (s *Service) enumTlsVersions(host, ip, port string, options clients.ConnectOptions) ([]string, error) { + var enumeratedTlsVersions []string + clientSupportedTlsVersions, err := s.client.SupportedTLSVersions() + if err != nil { + return nil, err + } + for _, tlsVersion := range clientSupportedTlsVersions { + options.VersionTLS = tlsVersion + if resp, err := s.client.ConnectWithOptions(host, ip, port, options); err == nil && resp != nil && resp.Version == tlsVersion { + enumeratedTlsVersions = append(enumeratedTlsVersions, tlsVersion) + } + } + return enumeratedTlsVersions, nil +} diff --git a/pkg/tlsx/ztls/ztls.go b/pkg/tlsx/ztls/ztls.go index ad2a224e..b9167327 100644 --- a/pkg/tlsx/ztls/ztls.go +++ b/pkg/tlsx/ztls/ztls.go @@ -27,6 +27,9 @@ type Client struct { options *clients.Options } +// supportedTlsVersions contains the list of supported TLS versions (avoids allocations) +var supportedTlsVersions = []string{"ssl30", "tls10", "tls11", "tls12"} + // versionStringToTLSVersion converts tls version string to version var versionStringToTLSVersion = map[string]uint16{ "ssl30": tls.VersionSSL30, @@ -151,6 +154,15 @@ func (c *Client) ConnectWithOptions(hostname, ip, port string, options clients.C config = c } + if options.VersionTLS != "" { + version, ok := versionStringToTLSVersion[options.VersionTLS] + if !ok { + return nil, fmt.Errorf("invalid tls version specified: %s", options.VersionTLS) + } + config.MinVersion = version + config.MaxVersion = version + } + tlsConn := tls.Client(conn, config) if timeout == 0 { err = tlsConn.Handshake() @@ -208,20 +220,20 @@ func (c *Client) convertCertificateToResponse(hostname string, cert *x509.Certif return nil } response := &clients.CertificateResponse{ - SubjectAN: cert.DNSNames, - Emails: cert.EmailAddresses, - NotBefore: cert.NotBefore, - NotAfter: cert.NotAfter, - Expired: clients.IsExpired(cert.NotAfter), - SelfSigned: clients.IsSelfSigned(cert.AuthorityKeyId, cert.SubjectKeyId), - MisMatched: clients.IsMisMatchedCert(hostname, append(cert.DNSNames, cert.Subject.CommonName)), + SubjectAN: cert.DNSNames, + Emails: cert.EmailAddresses, + NotBefore: cert.NotBefore, + NotAfter: cert.NotAfter, + Expired: clients.IsExpired(cert.NotAfter), + SelfSigned: clients.IsSelfSigned(cert.AuthorityKeyId, cert.SubjectKeyId), + MisMatched: clients.IsMisMatchedCert(hostname, append(cert.DNSNames, cert.Subject.CommonName)), WildCardCert: clients.IsWildCardCert(append(cert.DNSNames, cert.Subject.CommonName)), - IssuerDN: cert.Issuer.String(), - IssuerCN: cert.Issuer.CommonName, - IssuerOrg: cert.Issuer.Organization, - SubjectDN: cert.Subject.String(), - SubjectCN: cert.Subject.CommonName, - SubjectOrg: cert.Subject.Organization, + IssuerDN: cert.Issuer.String(), + IssuerCN: cert.Issuer.CommonName, + IssuerOrg: cert.Issuer.Organization, + SubjectDN: cert.Subject.String(), + SubjectCN: cert.Subject.CommonName, + SubjectOrg: cert.Subject.Organization, FingerprintHash: clients.CertificateResponseFingerprintHash{ MD5: clients.MD5Fingerprint(cert.Raw), SHA1: clients.SHA1Fingerprint(cert.Raw), @@ -233,3 +245,8 @@ func (c *Client) convertCertificateToResponse(hostname string, cert *x509.Certif } return response } + +// SupportedTLSVersions returns the list of standard tls library supported tls versions +func (c *Client) SupportedTLSVersions() ([]string, error) { + return supportedTlsVersions, nil +} From 5cc7b6e4dd7890bfbb40dfc7d858887a4c807d39 Mon Sep 17 00:00:00 2001 From: mzack Date: Thu, 4 Aug 2022 13:23:15 +0200 Subject: [PATCH 2/6] Adding support for ciphers enum --- cmd/tlsx/main.go | 1 + pkg/tlsx/auto/auto.go | 5 +++++ pkg/tlsx/clients/clients.go | 11 +++++++++++ pkg/tlsx/tls/tls.go | 16 +++++++++++++--- pkg/tlsx/tls/utils.go | 12 ++++++++++-- pkg/tlsx/tlsx.go | 30 ++++++++++++++++++++++++++++-- pkg/tlsx/ztls/utils.go | 12 ++++++++++-- pkg/tlsx/ztls/ztls.go | 16 +++++++++++++--- 8 files changed, 91 insertions(+), 12 deletions(-) diff --git a/cmd/tlsx/main.go b/cmd/tlsx/main.go index db74d075..52773ce4 100644 --- a/cmd/tlsx/main.go +++ b/cmd/tlsx/main.go @@ -68,6 +68,7 @@ func readFlags() error { flagSet.BoolVarP(&options.WildcardCertCheck, "wildcard-cert", "wc", false, "display host with wildcard ssl certificate"), flagSet.BoolVarP(&options.ProbeStatus, "probe-status", "tps", false, "display tls probe status"), flagSet.BoolVarP(&options.TlsVersionsEnum, "version-enum", "ve", false, "enumerate and display supported tls versions"), + flagSet.BoolVarP(&options.TlsCiphersEnum, "cipher-enum", "ce", false, "enumerate and display supported cipher"), ) flagSet.CreateGroup("misconfigurations", "Misconfigurations", diff --git a/pkg/tlsx/auto/auto.go b/pkg/tlsx/auto/auto.go index 547fc524..c232aa47 100644 --- a/pkg/tlsx/auto/auto.go +++ b/pkg/tlsx/auto/auto.go @@ -54,6 +54,11 @@ func (c *Client) SupportedTLSVersions() ([]string, error) { return nil, errors.New("not implemented in auto mode") } +// SupportedTLSVersions is meaningless here but necessary due to the interface system implemented +func (c *Client) SupportedTLSCiphers() ([]string, error) { + return nil, errors.New("not implemented in auto mode") +} + // isResponseInvalid handles invalid response func (c *Client) isResponseInvalid(resp *clients.Response) bool { if resp == nil { diff --git a/pkg/tlsx/clients/clients.go b/pkg/tlsx/clients/clients.go index e2e72bdb..9b040b5e 100644 --- a/pkg/tlsx/clients/clients.go +++ b/pkg/tlsx/clients/clients.go @@ -22,6 +22,8 @@ type Implementation interface { ConnectWithOptions(hostname, ip, port string, options ConnectOptions) (*Response, error) // SupportedTLSVersions returns the list of supported tls versions SupportedTLSVersions() ([]string, error) + // SupportedTLSCiphers returns the list of supported tls ciphers + SupportedTLSCiphers() ([]string, error) } // Options contains configuration options for tlsx client @@ -111,6 +113,8 @@ type Options struct { WildcardCertCheck bool // TlsVersionsEnum enumerates supported tls versions TlsVersionsEnum bool + // TlsCiphersEnum enumerates supported ciphers per TLS protocol + TlsCiphersEnum bool // Fastdialer is a fastdialer dialer instance Fastdialer *fastdialer.Dialer @@ -146,6 +150,12 @@ type Response struct { Ja3Hash string `json:"ja3_hash,omitempty"` ServerName string `json:"sni,omitempty"` VersionEnum []string `json:"version-enum,omitempty"` + TlsCiphers []TlsCiphers `json:"cipher-enum,omitempty"` +} + +type TlsCiphers struct { + Version string `json:"version,omitempty"` + Ciphers []string `json:"ciphers,omitempty"` } // CertificateResponse is the response for a certificate @@ -294,4 +304,5 @@ func PemEncode(cert []byte) string { type ConnectOptions struct { SNI string VersionTLS string + Ciphers []string } diff --git a/pkg/tlsx/tls/tls.go b/pkg/tlsx/tls/tls.go index fa5ff218..691d59b9 100644 --- a/pkg/tlsx/tls/tls.go +++ b/pkg/tlsx/tls/tls.go @@ -29,9 +29,6 @@ type Client struct { options *clients.Options } -// supportedTlsVersions contains the list of supported TLS versions (avoids allocations) -var supportedTlsVersions = []string{"tls10", "tls11", "tls12", "tls13"} - // versionStringToTLSVersion converts tls version string to version var versionStringToTLSVersion = map[string]uint16{ "tls10": tls.VersionTLS10, @@ -151,6 +148,14 @@ func (c *Client) ConnectWithOptions(hostname, ip, port string, options clients.C config.MaxVersion = version } + if len(options.Ciphers) > 0 { + customCiphers, err := toTLSCiphers(options.Ciphers) + if err != nil { + return nil, errors.Wrap(err, "could not get tls ciphers") + } + c.tlsConfig.CipherSuites = customCiphers + } + conn := tls.Client(rawConn, config) if err := conn.HandshakeContext(ctx); err != nil { rawConn.Close() @@ -245,3 +250,8 @@ func parseASN1DNSequenceWithZpkix(data []byte) string { func (c *Client) SupportedTLSVersions() ([]string, error) { return supportedTlsVersions, nil } + +// SupportedTLSVersions returns the list of standard tls library supported ciphers +func (c *Client) SupportedTLSCiphers() ([]string, error) { + return allCiphersNames, nil +} diff --git a/pkg/tlsx/tls/utils.go b/pkg/tlsx/tls/utils.go index 2ab25abc..e1931acf 100644 --- a/pkg/tlsx/tls/utils.go +++ b/pkg/tlsx/tls/utils.go @@ -5,12 +5,20 @@ import ( "fmt" ) -var allCiphers []uint16 +var ( + allCiphers []uint16 + allCiphersNames []string + supportedTlsVersions []string +) func init() { - for _, cipher := range tlsCiphers { + for name, cipher := range tlsCiphers { + allCiphersNames = append(allCiphersNames, name) allCiphers = append(allCiphers, cipher) } + for name := range versionStringToTLSVersion { + supportedTlsVersions = append(supportedTlsVersions, name) + } } func toTLSCiphers(items []string) ([]uint16, error) { diff --git a/pkg/tlsx/tlsx.go b/pkg/tlsx/tlsx.go index a6db280e..03832101 100644 --- a/pkg/tlsx/tlsx.go +++ b/pkg/tlsx/tlsx.go @@ -79,12 +79,23 @@ func (s *Service) ConnectWithOptions(host, ip, port string, options clients.Conn resp.JarmHash = jarmhash } - supportedTlsVersions := []string{resp.Version} if s.options.TlsVersionsEnum { + supportedTlsVersions := []string{resp.Version} enumeratedTlsVersions, _ := s.enumTlsVersions(host, ip, port, options) supportedTlsVersions = append(supportedTlsVersions, enumeratedTlsVersions...) + resp.VersionEnum = sliceutil.Dedupe(supportedTlsVersions) + } + + var supportedTlsCiphers []clients.TlsCiphers + if s.options.TlsCiphersEnum { + for _, supportedTlsVersion := range resp.VersionEnum { + options.VersionTLS = supportedTlsVersion + enumeratedTlsVersions, _ := s.enumTlsCiphers(host, ip, port, options) + enumeratedTlsVersions = sliceutil.Dedupe(enumeratedTlsVersions) + supportedTlsCiphers = append(supportedTlsCiphers, clients.TlsCiphers{Version: supportedTlsVersion, Ciphers: enumeratedTlsVersions}) + } + resp.TlsCiphers = supportedTlsCiphers } - resp.VersionEnum = sliceutil.Dedupe(supportedTlsVersions) return resp, nil } @@ -103,3 +114,18 @@ func (s *Service) enumTlsVersions(host, ip, port string, options clients.Connect } return enumeratedTlsVersions, nil } + +func (s *Service) enumTlsCiphers(host, ip, port string, options clients.ConnectOptions) ([]string, error) { + var enumeratedTlsCiphers []string + clientSupportedCiphers, err := s.client.SupportedTLSCiphers() + if err != nil { + return nil, err + } + for _, cipher := range clientSupportedCiphers { + options.Ciphers = []string{cipher} + if resp, err := s.client.ConnectWithOptions(host, ip, port, options); err == nil && resp != nil { + enumeratedTlsCiphers = append(enumeratedTlsCiphers, cipher) + } + } + return enumeratedTlsCiphers, nil +} diff --git a/pkg/tlsx/ztls/utils.go b/pkg/tlsx/ztls/utils.go index c5dcb538..4a3749ff 100644 --- a/pkg/tlsx/ztls/utils.go +++ b/pkg/tlsx/ztls/utils.go @@ -6,12 +6,20 @@ import ( "github.com/zmap/zcrypto/tls" ) -var allCiphers []uint16 +var ( + allCiphers []uint16 + allCiphersNames []string + supportedTlsVersions []string +) func init() { - for _, cipher := range ztlsCiphers { + for name, cipher := range ztlsCiphers { + allCiphersNames = append(allCiphersNames, name) allCiphers = append(allCiphers, cipher) } + for name := range versionStringToTLSVersion { + supportedTlsVersions = append(supportedTlsVersions, name) + } } func toZTLSCiphers(items []string) ([]uint16, error) { diff --git a/pkg/tlsx/ztls/ztls.go b/pkg/tlsx/ztls/ztls.go index b9167327..a4ac061e 100644 --- a/pkg/tlsx/ztls/ztls.go +++ b/pkg/tlsx/ztls/ztls.go @@ -27,9 +27,6 @@ type Client struct { options *clients.Options } -// supportedTlsVersions contains the list of supported TLS versions (avoids allocations) -var supportedTlsVersions = []string{"ssl30", "tls10", "tls11", "tls12"} - // versionStringToTLSVersion converts tls version string to version var versionStringToTLSVersion = map[string]uint16{ "ssl30": tls.VersionSSL30, @@ -163,6 +160,14 @@ func (c *Client) ConnectWithOptions(hostname, ip, port string, options clients.C config.MaxVersion = version } + if len(options.Ciphers) > 0 { + customCiphers, err := toZTLSCiphers(options.Ciphers) + if err != nil { + return nil, errors.Wrap(err, "could not get tls ciphers") + } + c.tlsConfig.CipherSuites = customCiphers + } + tlsConn := tls.Client(conn, config) if timeout == 0 { err = tlsConn.Handshake() @@ -250,3 +255,8 @@ func (c *Client) convertCertificateToResponse(hostname string, cert *x509.Certif func (c *Client) SupportedTLSVersions() ([]string, error) { return supportedTlsVersions, nil } + +// SupportedTLSVersions returns the list of standard tls library supported ciphers +func (c *Client) SupportedTLSCiphers() ([]string, error) { + return allCiphersNames, nil +} From 61027e1da5dcee98d4ae881fdc29694840b20858 Mon Sep 17 00:00:00 2001 From: Mzack9999 Date: Mon, 8 Aug 2022 10:20:46 +0200 Subject: [PATCH 3/6] updating openssl to respect interface --- pkg/tlsx/openssl/no_openssl.go | 11 +++++++++++ pkg/tlsx/openssl/openssl.go | 10 ++++++++++ 2 files changed, 21 insertions(+) diff --git a/pkg/tlsx/openssl/no_openssl.go b/pkg/tlsx/openssl/no_openssl.go index ff0c4085..219a8bbc 100644 --- a/pkg/tlsx/openssl/no_openssl.go +++ b/pkg/tlsx/openssl/no_openssl.go @@ -4,6 +4,7 @@ package openssl import ( + "github.com/pkg/errors" "github.com/projectdiscovery/tlsx/pkg/tlsx/clients" ) @@ -22,3 +23,13 @@ func New(options *clients.Options) (*Client, error) { func (c *Client) ConnectWithOptions(hostname, ip, port string, options clients.ConnectOptions) (*clients.Response, error) { return nil, ErrNotSupported } + +// SupportedTLSVersions is meaningless here but necessary due to the interface system implemented +func (c *Client) SupportedTLSVersions() ([]string, error) { + return nil, errors.New("not implemented in auto mode") +} + +// SupportedTLSVersions is meaningless here but necessary due to the interface system implemented +func (c *Client) SupportedTLSCiphers() ([]string, error) { + return nil, errors.New("not implemented in auto mode") +} diff --git a/pkg/tlsx/openssl/openssl.go b/pkg/tlsx/openssl/openssl.go index 80d1d464..d15bd3aa 100644 --- a/pkg/tlsx/openssl/openssl.go +++ b/pkg/tlsx/openssl/openssl.go @@ -186,3 +186,13 @@ func (c *Client) convertOpenSSLToX509Certificate(opensslCert *openssl.Certificat return x509Certificate, nil } + +// SupportedTLSVersions is meaningless here but necessary due to the interface system implemented +func (c *Client) SupportedTLSVersions() ([]string, error) { + return nil, errors.New("not implemented in openssl mode") +} + +// SupportedTLSVersions is meaningless here but necessary due to the interface system implemented +func (c *Client) SupportedTLSCiphers() ([]string, error) { + return nil, errors.New("not implemented in openssl mode") +} From 587c36aee49ad8bdc4aff434da73322862e66da4 Mon Sep 17 00:00:00 2001 From: mzack Date: Mon, 8 Aug 2022 10:38:24 +0200 Subject: [PATCH 4/6] fixing various lint issues --- pkg/tlsx/auto/auto.go | 14 -------------- pkg/tlsx/tls/tls.go | 4 ++-- pkg/tlsx/ztls/ztls.go | 4 ++-- 3 files changed, 4 insertions(+), 18 deletions(-) diff --git a/pkg/tlsx/auto/auto.go b/pkg/tlsx/auto/auto.go index 54e36b0c..3254c90e 100644 --- a/pkg/tlsx/auto/auto.go +++ b/pkg/tlsx/auto/auto.go @@ -3,8 +3,6 @@ package auto import ( - "strings" - "github.com/pkg/errors" "github.com/projectdiscovery/tlsx/pkg/output/stats" "github.com/projectdiscovery/tlsx/pkg/tlsx/clients" @@ -69,15 +67,3 @@ func (c *Client) SupportedTLSVersions() ([]string, error) { func (c *Client) SupportedTLSCiphers() ([]string, error) { return nil, errors.New("not implemented in auto mode") } - -// isResponseInvalid handles invalid response -func (c *Client) isResponseInvalid(resp *clients.Response) bool { - if resp == nil { - return true - } - // case for invalid google resolving response - if strings.EqualFold(resp.CertificateResponse.IssuerCN, "invalid2.invalid") { - return true - } - return false -} diff --git a/pkg/tlsx/tls/tls.go b/pkg/tlsx/tls/tls.go index 2d006c9f..6e661d50 100644 --- a/pkg/tlsx/tls/tls.go +++ b/pkg/tlsx/tls/tls.go @@ -7,8 +7,8 @@ import ( "crypto/tls" "crypto/x509" "fmt" - "io/ioutil" "net" + "os" "time" "github.com/pkg/errors" @@ -65,7 +65,7 @@ func New(options *clients.Options) (*Client, error) { } } if options.CACertificate != "" { - caCert, err := ioutil.ReadFile(options.CACertificate) + caCert, err := os.ReadFile(options.CACertificate) if err != nil { return nil, errors.Wrap(err, "could not read ca certificate") } diff --git a/pkg/tlsx/ztls/ztls.go b/pkg/tlsx/ztls/ztls.go index 0b03b305..747aad4b 100644 --- a/pkg/tlsx/ztls/ztls.go +++ b/pkg/tlsx/ztls/ztls.go @@ -5,8 +5,8 @@ package ztls import ( "context" "fmt" - "io/ioutil" "net" + "os" "time" "github.com/pkg/errors" @@ -67,7 +67,7 @@ func New(options *clients.Options) (*Client, error) { } } if options.CACertificate != "" { - caCert, err := ioutil.ReadFile(options.CACertificate) + caCert, err := os.ReadFile(options.CACertificate) if err != nil { return nil, errors.Wrap(err, "could not read ca certificate") } From 6061d15ba625ee0946d63d848ab890b6ed7ebfad Mon Sep 17 00:00:00 2001 From: mzack Date: Tue, 9 Aug 2022 09:58:04 +0200 Subject: [PATCH 5/6] adding tls/cipher enum to auto mode --- pkg/tlsx/auto/auto.go | 10 +++++----- pkg/tlsx/auto/util.go | 19 +++++++++++++++++++ pkg/tlsx/tls/tls.go | 8 ++++---- pkg/tlsx/tls/utils.go | 12 ++++++------ pkg/tlsx/ztls/utils.go | 12 ++++++------ pkg/tlsx/ztls/ztls.go | 10 +++++----- 6 files changed, 45 insertions(+), 26 deletions(-) create mode 100644 pkg/tlsx/auto/util.go diff --git a/pkg/tlsx/auto/auto.go b/pkg/tlsx/auto/auto.go index 3254c90e..75f80fa8 100644 --- a/pkg/tlsx/auto/auto.go +++ b/pkg/tlsx/auto/auto.go @@ -30,7 +30,7 @@ func New(options *clients.Options) (*Client, error) { } opensslClient, err := openssl.New(options) if err != nil && err != openssl.ErrNotSupported { - return nil, errors.Wrap(err, "could not create ztls client") + return nil, errors.Wrap(err, "could not create openssl client") } return &Client{tlsClient: tlsClient, ztlsClient: ztlsClient, opensslClient: opensslClient}, nil } @@ -58,12 +58,12 @@ func (c *Client) ConnectWithOptions(hostname, ip, port string, options clients.C return response, nil } -// SupportedTLSVersions is meaningless here but necessary due to the interface system implemented +// SupportedTLSVersions returns the list of supported tls versions by all engines func (c *Client) SupportedTLSVersions() ([]string, error) { - return nil, errors.New("not implemented in auto mode") + return supportedTlsVersions, nil } -// SupportedTLSVersions is meaningless here but necessary due to the interface system implemented +// SupportedTLSCiphers returns the list of supported ciphers by all engines func (c *Client) SupportedTLSCiphers() ([]string, error) { - return nil, errors.New("not implemented in auto mode") + return allCiphersNames, nil } diff --git a/pkg/tlsx/auto/util.go b/pkg/tlsx/auto/util.go new file mode 100644 index 00000000..d4f15f24 --- /dev/null +++ b/pkg/tlsx/auto/util.go @@ -0,0 +1,19 @@ +package auto + +import ( + "github.com/projectdiscovery/sliceutil" + "github.com/projectdiscovery/tlsx/pkg/tlsx/tls" + "github.com/projectdiscovery/tlsx/pkg/tlsx/ztls" +) + +var ( + allCiphersNames []string + supportedTlsVersions []string +) + +func init() { + allCiphersNames = append(tls.AllCiphersNames, ztls.AllCiphersNames...) + supportedTlsVersions = append(tls.SupportedTlsVersions, ztls.SupportedTlsVersions...) + allCiphersNames = sliceutil.Dedupe(allCiphersNames) + supportedTlsVersions = sliceutil.Dedupe(supportedTlsVersions) +} diff --git a/pkg/tlsx/tls/tls.go b/pkg/tlsx/tls/tls.go index 6e661d50..bd4fb90c 100644 --- a/pkg/tlsx/tls/tls.go +++ b/pkg/tlsx/tls/tls.go @@ -55,7 +55,7 @@ func New(options *clients.Options) (*Client, error) { } if options.AllCiphers { - c.tlsConfig.CipherSuites = allCiphers + c.tlsConfig.CipherSuites = AllCiphers } if len(options.Ciphers) > 0 { if customCiphers, err := toTLSCiphers(options.Ciphers); err != nil { @@ -221,10 +221,10 @@ func (c *Client) convertCertificateToResponse(hostname string, cert *x509.Certif // SupportedTLSVersions returns the list of standard tls library supported tls versions func (c *Client) SupportedTLSVersions() ([]string, error) { - return supportedTlsVersions, nil + return SupportedTlsVersions, nil } -// SupportedTLSVersions returns the list of standard tls library supported ciphers +// SupportedTLSCiphers returns the list of standard tls library supported ciphers func (c *Client) SupportedTLSCiphers() ([]string, error) { - return allCiphersNames, nil + return AllCiphersNames, nil } diff --git a/pkg/tlsx/tls/utils.go b/pkg/tlsx/tls/utils.go index e1931acf..f7bdad0a 100644 --- a/pkg/tlsx/tls/utils.go +++ b/pkg/tlsx/tls/utils.go @@ -6,18 +6,18 @@ import ( ) var ( - allCiphers []uint16 - allCiphersNames []string - supportedTlsVersions []string + AllCiphers []uint16 + AllCiphersNames []string + SupportedTlsVersions []string ) func init() { for name, cipher := range tlsCiphers { - allCiphersNames = append(allCiphersNames, name) - allCiphers = append(allCiphers, cipher) + AllCiphersNames = append(AllCiphersNames, name) + AllCiphers = append(AllCiphers, cipher) } for name := range versionStringToTLSVersion { - supportedTlsVersions = append(supportedTlsVersions, name) + SupportedTlsVersions = append(SupportedTlsVersions, name) } } diff --git a/pkg/tlsx/ztls/utils.go b/pkg/tlsx/ztls/utils.go index 4a3749ff..648d4e7e 100644 --- a/pkg/tlsx/ztls/utils.go +++ b/pkg/tlsx/ztls/utils.go @@ -7,18 +7,18 @@ import ( ) var ( - allCiphers []uint16 - allCiphersNames []string - supportedTlsVersions []string + AllCiphers []uint16 + AllCiphersNames []string + SupportedTlsVersions []string ) func init() { for name, cipher := range ztlsCiphers { - allCiphersNames = append(allCiphersNames, name) - allCiphers = append(allCiphers, cipher) + AllCiphersNames = append(AllCiphersNames, name) + AllCiphers = append(AllCiphers, cipher) } for name := range versionStringToTLSVersion { - supportedTlsVersions = append(supportedTlsVersions, name) + SupportedTlsVersions = append(SupportedTlsVersions, name) } } diff --git a/pkg/tlsx/ztls/ztls.go b/pkg/tlsx/ztls/ztls.go index 747aad4b..3d3b0a77 100644 --- a/pkg/tlsx/ztls/ztls.go +++ b/pkg/tlsx/ztls/ztls.go @@ -57,7 +57,7 @@ func New(options *clients.Options) (*Client, error) { } if options.AllCiphers { - c.tlsConfig.CipherSuites = allCiphers + c.tlsConfig.CipherSuites = AllCiphers } if len(options.Ciphers) > 0 { if customCiphers, err := toZTLSCiphers(options.Ciphers); err != nil { @@ -253,12 +253,12 @@ func ConvertCertificateToResponse(options *clients.Options, hostname string, cer return response } -// SupportedTLSVersions returns the list of standard tls library supported tls versions +// SupportedTLSVersions returns the list of ztls library supported tls versions func (c *Client) SupportedTLSVersions() ([]string, error) { - return supportedTlsVersions, nil + return SupportedTlsVersions, nil } -// SupportedTLSVersions returns the list of standard tls library supported ciphers +// SupportedTLSCiphers returns the list of ztls library supported ciphers func (c *Client) SupportedTLSCiphers() ([]string, error) { - return allCiphersNames, nil + return AllCiphersNames, nil } From cfc362d18c09e6c1619219f7d923b6f9eb934b51 Mon Sep 17 00:00:00 2001 From: mzack Date: Tue, 9 Aug 2022 09:59:28 +0200 Subject: [PATCH 6/6] renaming json fields --- pkg/tlsx/clients/clients.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/tlsx/clients/clients.go b/pkg/tlsx/clients/clients.go index af323ce9..320c598e 100644 --- a/pkg/tlsx/clients/clients.go +++ b/pkg/tlsx/clients/clients.go @@ -151,8 +151,8 @@ type Response struct { JarmHash string `json:"jarm_hash,omitempty"` Ja3Hash string `json:"ja3_hash,omitempty"` ServerName string `json:"sni,omitempty"` - VersionEnum []string `json:"version-enum,omitempty"` - TlsCiphers []TlsCiphers `json:"cipher-enum,omitempty"` + VersionEnum []string `json:"version_enum,omitempty"` + TlsCiphers []TlsCiphers `json:"cipher_enum,omitempty"` } type TlsCiphers struct {