Can we disable tls parsing in http module #378
Comments
|
Can you provide enough info to reproduce this? Is there a host/port with this behavior you can share? I would be much more interested in fixing it rather than masking it |
|
You can try the command, I think it is specifically because of tls certificate is not following the asn.1 standard. echo 34.107.18.135 | ./zgrab http -p 443 --use-https |
|
The fix for this would be to loosen the ASN1 parsing in https://github.com/zmap/zcrypto |
Seanstoppable
added a commit
to Seanstoppable/zgrab2
that referenced
this issue
Oct 14, 2023
This is driven by zmap#378, zmap/zcrypto#364 and zmap#334 This allows a number of scans to actually succeed, rather than fail out when parsing the certificate Example without permissive parsing: ``` echo FAILING_IP | ./zgrab2 http -p 443 --use-https INFO[0000] started grab at 2023-09-21T21:25:29-05:00 {"ip":"FAILING_IP","data":{"http":{"status":"unknown-error","protocol":"http","result":{},"timestamp":"2023-09-21T21:25:29-05:00","error":"tls: failed to parse certificate from server: asn1: structure error: explicitly tagged member didn't match"}}} INFO[0001] finished grab at 2023-09-21T21:25:29-05:00 {"statuses":{"http":{"successes":0,"failures":1}},"start":"2023-09-21T21:25:29-05:00","end":"2023-09-21T21:25:29-05:00","duration":"987.606886ms"} ``` With Permissive parsing: ``` echo FAILING_IP | ./zgrab2 http -p 443 --use-https --permissive-parsing INFO[0000] started grab at 2023-09-21T21:25:34-05:00 {"ip":"FAILING_UP","data":{"http":{"status":"application-error","protocol":"http","result":{"response":{"status_line":"302 Found","status_code":302,"protocol":{"name":"HTTP/1.1","major":1,"minor":1},"headers":{"content_length":["0"], ... all the HTTP and TLS handshake log data ```
Merged
zakird
pushed a commit
that referenced
this issue
Feb 18, 2024
* Add permissive parsing TLS option This is driven by #378, zmap/zcrypto#364 and #334 This allows a number of scans to actually succeed, rather than fail out when parsing the certificate Example without permissive parsing: ``` echo FAILING_IP | ./zgrab2 http -p 443 --use-https INFO[0000] started grab at 2023-09-21T21:25:29-05:00 {"ip":"FAILING_IP","data":{"http":{"status":"unknown-error","protocol":"http","result":{},"timestamp":"2023-09-21T21:25:29-05:00","error":"tls: failed to parse certificate from server: asn1: structure error: explicitly tagged member didn't match"}}} INFO[0001] finished grab at 2023-09-21T21:25:29-05:00 {"statuses":{"http":{"successes":0,"failures":1}},"start":"2023-09-21T21:25:29-05:00","end":"2023-09-21T21:25:29-05:00","duration":"987.606886ms"} ``` With Permissive parsing: ``` echo FAILING_IP | ./zgrab2 http -p 443 --use-https --permissive-parsing INFO[0000] started grab at 2023-09-21T21:25:34-05:00 {"ip":"FAILING_UP","data":{"http":{"status":"application-error","protocol":"http","result":{"response":{"status_line":"302 Found","status_code":302,"protocol":{"name":"HTTP/1.1","major":1,"minor":1},"headers":{"content_length":["0"], ... all the HTTP and TLS handshake log data ``` * Make permissive parsing the default/no option
|
I believe this can now be resolved |
|
@rony0724 have you tried out the changes referenced in the issue? They should provide the behavior you were looking for |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
something like --no-tls
./zgrab http -p 443 --use-https --no-tlsAt some ips, tls certificate parsing is getting failed.
{"http":{"status":"unknown-error","protocol":"http","result":{},"timestamp":"2023-04-08T08:53:52Z","error":"tls: failed to parse certificate from server: asn1: syntax error: PrintableString contains invalid character"}
The text was updated successfully, but these errors were encountered: