making ztls global and optional

v2/cmd/nuclei/main.go

@@ -134,6 +134,7 @@ on extensive configurability, massive extensibility and ease of use.`)
 		flagSet.StringVarP(&options.ClientCertFile, "client-cert", "cc", "", "client certificate file (PEM-encoded) used for authenticating against scanned hosts"),
 		flagSet.StringVarP(&options.ClientKeyFile, "client-key", "ck", "", "client key file (PEM-encoded) used for authenticating against scanned hosts"),
 		flagSet.StringVarP(&options.ClientCAFile, "client-ca", "ca", "", "client certificate authority file (PEM-encoded) used for authenticating against scanned hosts"),
+		flagSet.BoolVar(&options.ZTLS, "ztls", false, "Use ztls library with autofallback to standard one for tls13"),
 	)
 
 	createGroup(flagSet, "interactsh", "interactsh",

v2/go.mod

@@ -27,7 +27,7 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/projectdiscovery/clistats v0.0.8
 	github.com/projectdiscovery/cryptoutil v0.0.0-20220124150510-1f21e1ec3143
-	github.com/projectdiscovery/fastdialer v0.0.15-0.20220124150833-4b108b8258de
+	github.com/projectdiscovery/fastdialer v0.0.15-0.20220125194529-ae3cd418e3e7
 	github.com/projectdiscovery/filekv v0.0.0-20210915124239-3467ef45dd08
 	github.com/projectdiscovery/fileutil v0.0.0-20210928100737-cab279c5d4b5
 	github.com/projectdiscovery/goflags v0.0.8-0.20211028121123-edf02bc05b1a

v2/go.sum

@@ -412,6 +412,8 @@ github.com/projectdiscovery/cryptoutil v0.0.0-20220124150510-1f21e1ec3143/go.mod
 github.com/projectdiscovery/fastdialer v0.0.12/go.mod h1:RkRbxqDCcCFhfNUbkzBIz/ieD4uda2JuUA4WJ+RLee0=
 github.com/projectdiscovery/fastdialer v0.0.15-0.20220124150833-4b108b8258de h1:9vQIzE3cDZvgLoxeGSHrR6gK8F3Grs6Kb0hDzdZdoiQ=
 github.com/projectdiscovery/fastdialer v0.0.15-0.20220124150833-4b108b8258de/go.mod h1:Mex24omi3RxrmhA8Ote7rw+6LWMiaBvbJq8CNp0ksII=
+github.com/projectdiscovery/fastdialer v0.0.15-0.20220125194529-ae3cd418e3e7 h1:Q0vxiaBjfXDhdhPOZeuq5DypHxr1g9VMagtVt1YUZCs=
+github.com/projectdiscovery/fastdialer v0.0.15-0.20220125194529-ae3cd418e3e7/go.mod h1:Mex24omi3RxrmhA8Ote7rw+6LWMiaBvbJq8CNp0ksII=
 github.com/projectdiscovery/filekv v0.0.0-20210915124239-3467ef45dd08 h1:NwD1R/du1dqrRKN3SJl9kT6tN3K9puuWFXEvYF2ihew=
 github.com/projectdiscovery/filekv v0.0.0-20210915124239-3467ef45dd08/go.mod h1:paLCnwV8sL7ppqIwVQodQrk3F6mnWafwTDwRd7ywZwQ=
 github.com/projectdiscovery/fileutil v0.0.0-20210804142714-ebba15fa53ca/go.mod h1:U+QCpQnX8o2N2w0VUGyAzjM3yBAe4BKedVElxiImsx0=

v2/pkg/protocols/common/protocolstate/state.go

@@ -20,6 +20,7 @@ func Init(options *types.Options) error {
 		opts.BaseResolvers = options.InternalResolversList
 	}
 	opts.WithDialerHistory = true
+	opts.WithZTLS = options.ZTLS
 	dialer, err := fastdialer.NewDialer(opts)
 	if err != nil {
 		return errors.Wrap(err, "could not create dialer")

v2/pkg/protocols/ssl/ssl.go

@@ -55,7 +55,7 @@ type Request struct {
 	//   - "tls13"
 	MaxVersion string `yaml:"max_version,omitempty" jsonschema:"title=TLS version,description=Max tls version - automatic if not specified.,enum=sslv3,enum=tls10,enum=tls11,enum=tls12,enum=tls13"`
 	// description: |
-	//   Client Cipher Suites - auto if not specified.
+	//   Client Cipher Suites  - auto if not specified.
 	CiperSuites []string `yaml:"cipher_suites,omitempty"`
 
 	// cache any variables that may be needed for operation.
@@ -118,8 +118,6 @@ func (request *Request) ExecuteWithResults(input string, dynamicValues, previous
 	}
 
 	addressToDial := string(finalAddress)
-	shouldUseZTLS := true
-
 	var minVersion, maxVersion uint16
 	if request.MinVersion != "" {
 		version, err := toVersion(request.MinVersion)
@@ -127,7 +125,6 @@ func (request *Request) ExecuteWithResults(input string, dynamicValues, previous
 			return err
 		}
 		minVersion = version
-		shouldUseZTLS = minVersion != tls.VersionTLS13
 	}
 	if request.MaxVersion != "" {
 		version, err := toVersion(request.MaxVersion)
@@ -141,28 +138,24 @@ func (request *Request) ExecuteWithResults(input string, dynamicValues, previous
 		return err
 	}
 	var conn net.Conn
-	if shouldUseZTLS {
+	zconfig := &ztls.Config{InsecureSkipVerify: true, ServerName: hostname}
-		config := &ztls.Config{InsecureSkipVerify: true, ServerName: hostname}
+	if minVersion > 0 {
-		if minVersion > 0 {
+		zconfig.MinVersion = minVersion
-			config.MinVersion = minVersion
+	}
-		}
+	if maxVersion > 0 {
-		if maxVersion > 0 {
+		zconfig.MaxVersion = maxVersion
-			config.MaxVersion = maxVersion
+	}
-		}
+	if len(zconfig.CipherSuites) > 0 {
-		if len(config.CipherSuites) > 0 {
+		zconfig.CipherSuites = cipherSuites
-			config.CipherSuites = cipherSuites
+	}
-		}
+
-		conn, err = request.dialer.DialZTLSWithConfig(context.Background(), "tcp", addressToDial, config)
+	if request.options.Options.ZTLS {
+		conn, err = request.dialer.DialZTLSWithConfig(context.Background(), "tcp", addressToDial, zconfig)
 	} else {
-		config := &tls.Config{InsecureSkipVerify: true, ServerName: hostname}
+		var config *tls.Config
-		if minVersion > 0 {
+		config, err = fastdialer.AsTLSConfig(zconfig)
-			config.MinVersion = minVersion
+		if err != nil {
-		}
+			return err
-		if maxVersion > 0 {
-			config.MaxVersion = maxVersion
-		}
-		if len(config.CipherSuites) > 0 {
-			config.CipherSuites = cipherSuites
 		}
 		conn, err = request.dialer.DialTLSWithConfig(context.Background(), "tcp", addressToDial, config)
 	}
@@ -175,10 +168,6 @@ func (request *Request) ExecuteWithResults(input string, dynamicValues, previous
 	defer conn.Close()
 	_ = conn.SetReadDeadline(time.Now().Add(time.Duration(requestOptions.Options.Timeout) * time.Second))
 
-	connTLS, ok := conn.(*ztls.Conn)
-	if !ok {
-		return nil
-	}
 	requestOptions.Output.Request(requestOptions.TemplateID, address, request.Type().String(), err)
 	gologger.Verbose().Msgf("Sent SSL request to %s", address)
 
@@ -186,23 +175,47 @@ func (request *Request) ExecuteWithResults(input string, dynamicValues, previous
 		gologger.Debug().Str("address", input).Msgf("[%s] Dumped SSL request for %s", requestOptions.TemplateID, input)
 	}
 
-	state := connTLS.ConnectionState()
+	var (
-	if len(state.PeerCertificates) == 0 {
+		tlsData      interface{}
-		return nil
+		certNotAfter int64
+	)
+	if request.options.Options.ZTLS {
+		connTLS, ok := conn.(*ztls.Conn)
+		if !ok {
+			return nil
+		}
+		state := connTLS.ConnectionState()
+		if len(state.PeerCertificates) == 0 {
+			return nil
+		}
+
+		tlsData = cryptoutil.ZTLSGrab(connTLS)
+		cert := connTLS.ConnectionState().PeerCertificates[0]
+		certNotAfter = cert.NotAfter.Unix()
+	} else {
+		connTLS, ok := conn.(*tls.Conn)
+		if !ok {
+			return nil
+		}
+		state := connTLS.ConnectionState()
+		if len(state.PeerCertificates) == 0 {
+			return nil
+		}
+		tlsData = cryptoutil.TLSGrab(&state)
+		cert := connTLS.ConnectionState().PeerCertificates[0]
+		certNotAfter = cert.NotAfter.Unix()
 	}
 
-	ztlsData := cryptoutil.ZTLSGrab(connTLS)
+	jsonData, _ := jsoniter.Marshal(tlsData)
-	jsonData, _ := jsoniter.Marshal(ztlsData)
 	jsonDataString := string(jsonData)
 
 	data := make(map[string]interface{})
-	cert := connTLS.ConnectionState().PeerCertificates[0]
 
 	data["type"] = request.Type().String()
 	data["response"] = jsonDataString
 	data["host"] = input
 	data["matched"] = addressToDial
-	data["not_after"] = float64(cert.NotAfter.Unix())
+	data["not_after"] = float64(certNotAfter)
 	data["ip"] = request.dialer.GetDialedIP(hostname)
 
 	event := eventcreator.CreateEvent(request, data, requestOptions.Options.Debug || requestOptions.Options.DebugResponse)

v2/pkg/types/types.go

@@ -194,6 +194,8 @@ type Options struct {
 	ClientKeyFile string
 	// ClientCAFile client certificate authority file (PEM-encoded) used for authenticating against scanned hosts
 	ClientCAFile string
+	// Use ZTLS library
+	ZTLS bool
 }
 
 func (options *Options) AddVarPayload(key string, value interface{}) {