making ztls global and optional

2025-12-17 19:55:26 +00:00 · 2022-01-25 20:48:21 +01:00 · 2022-01-25 20:48:21 +01:00 · a6798f37ad
commit a6798f37ad
parent 449e4fa431
6 changed files with 56 additions and 37 deletions
--- a/v2/cmd/nuclei/main.go
+++ b/v2/cmd/nuclei/main.go
@ -134,6 +134,7 @@ on extensive configurability, massive extensibility and ease of use.`)
 		flagSet.StringVarP(&options.ClientCertFile, "client-cert", "cc", "", "client certificate file (PEM-encoded) used for authenticating against scanned hosts"),
 		flagSet.StringVarP(&options.ClientKeyFile, "client-key", "ck", "", "client key file (PEM-encoded) used for authenticating against scanned hosts"),
 		flagSet.StringVarP(&options.ClientCAFile, "client-ca", "ca", "", "client certificate authority file (PEM-encoded) used for authenticating against scanned hosts"),
+		flagSet.BoolVar(&options.ZTLS, "ztls", false, "Use ztls library with autofallback to standard one for tls13"),
 	)

 	createGroup(flagSet, "interactsh", "interactsh",
--- a/v2/go.mod
+++ b/v2/go.mod
@ -27,7 +27,7 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/projectdiscovery/clistats v0.0.8
 	github.com/projectdiscovery/cryptoutil v0.0.0-20220124150510-1f21e1ec3143
-	github.com/projectdiscovery/fastdialer v0.0.15-0.20220124150833-4b108b8258de
+	github.com/projectdiscovery/fastdialer v0.0.15-0.20220125194529-ae3cd418e3e7
 	github.com/projectdiscovery/filekv v0.0.0-20210915124239-3467ef45dd08
 	github.com/projectdiscovery/fileutil v0.0.0-20210928100737-cab279c5d4b5
 	github.com/projectdiscovery/goflags v0.0.8-0.20211028121123-edf02bc05b1a
--- a/v2/go.sum
+++ b/v2/go.sum
@ -412,6 +412,8 @@ github.com/projectdiscovery/cryptoutil v0.0.0-20220124150510-1f21e1ec3143/go.mod
 github.com/projectdiscovery/fastdialer v0.0.12/go.mod h1:RkRbxqDCcCFhfNUbkzBIz/ieD4uda2JuUA4WJ+RLee0=
 github.com/projectdiscovery/fastdialer v0.0.15-0.20220124150833-4b108b8258de h1:9vQIzE3cDZvgLoxeGSHrR6gK8F3Grs6Kb0hDzdZdoiQ=
 github.com/projectdiscovery/fastdialer v0.0.15-0.20220124150833-4b108b8258de/go.mod h1:Mex24omi3RxrmhA8Ote7rw+6LWMiaBvbJq8CNp0ksII=
+github.com/projectdiscovery/fastdialer v0.0.15-0.20220125194529-ae3cd418e3e7 h1:Q0vxiaBjfXDhdhPOZeuq5DypHxr1g9VMagtVt1YUZCs=
+github.com/projectdiscovery/fastdialer v0.0.15-0.20220125194529-ae3cd418e3e7/go.mod h1:Mex24omi3RxrmhA8Ote7rw+6LWMiaBvbJq8CNp0ksII=
 github.com/projectdiscovery/filekv v0.0.0-20210915124239-3467ef45dd08 h1:NwD1R/du1dqrRKN3SJl9kT6tN3K9puuWFXEvYF2ihew=
 github.com/projectdiscovery/filekv v0.0.0-20210915124239-3467ef45dd08/go.mod h1:paLCnwV8sL7ppqIwVQodQrk3F6mnWafwTDwRd7ywZwQ=
 github.com/projectdiscovery/fileutil v0.0.0-20210804142714-ebba15fa53ca/go.mod h1:U+QCpQnX8o2N2w0VUGyAzjM3yBAe4BKedVElxiImsx0=
--- a/v2/pkg/protocols/common/protocolstate/state.go
+++ b/v2/pkg/protocols/common/protocolstate/state.go
@ -20,6 +20,7 @@ func Init(options *types.Options) error {
 		opts.BaseResolvers = options.InternalResolversList
 	}
 	opts.WithDialerHistory = true
+	opts.WithZTLS = options.ZTLS
 	dialer, err := fastdialer.NewDialer(opts)
 	if err != nil {
 		return errors.Wrap(err, "could not create dialer")
--- a/v2/pkg/protocols/ssl/ssl.go
+++ b/v2/pkg/protocols/ssl/ssl.go
@ -118,8 +118,6 @@ func (request *Request) ExecuteWithResults(input string, dynamicValues, previous
 	}

 	addressToDial := string(finalAddress)
-	shouldUseZTLS := true
-
 	var minVersion, maxVersion uint16
 	if request.MinVersion != "" {
 		version, err := toVersion(request.MinVersion)
@ -127,7 +125,6 @@ func (request *Request) ExecuteWithResults(input string, dynamicValues, previous
 			return err
 		}
 		minVersion = version
-		shouldUseZTLS = minVersion != tls.VersionTLS13
 	}
 	if request.MaxVersion != "" {
 		version, err := toVersion(request.MaxVersion)
@ -141,28 +138,24 @@ func (request *Request) ExecuteWithResults(input string, dynamicValues, previous
 		return err
 	}
 	var conn net.Conn
-	if shouldUseZTLS {
-		config := &ztls.Config{InsecureSkipVerify: true, ServerName: hostname}
+	zconfig := &ztls.Config{InsecureSkipVerify: true, ServerName: hostname}
 	if minVersion > 0 {
-			config.MinVersion = minVersion
+		zconfig.MinVersion = minVersion
 	}
 	if maxVersion > 0 {
-			config.MaxVersion = maxVersion
+		zconfig.MaxVersion = maxVersion
 	}
-		if len(config.CipherSuites) > 0 {
-			config.CipherSuites = cipherSuites
+	if len(zconfig.CipherSuites) > 0 {
+		zconfig.CipherSuites = cipherSuites
 	}
-		conn, err = request.dialer.DialZTLSWithConfig(context.Background(), "tcp", addressToDial, config)
+
+	if request.options.Options.ZTLS {
+		conn, err = request.dialer.DialZTLSWithConfig(context.Background(), "tcp", addressToDial, zconfig)
 	} else {
-		config := &tls.Config{InsecureSkipVerify: true, ServerName: hostname}
-		if minVersion > 0 {
-			config.MinVersion = minVersion
-		}
-		if maxVersion > 0 {
-			config.MaxVersion = maxVersion
-		}
-		if len(config.CipherSuites) > 0 {
-			config.CipherSuites = cipherSuites
+		var config *tls.Config
+		config, err = fastdialer.AsTLSConfig(zconfig)
+		if err != nil {
+			return err
 		}
 		conn, err = request.dialer.DialTLSWithConfig(context.Background(), "tcp", addressToDial, config)
 	}
@ -175,10 +168,6 @@ func (request *Request) ExecuteWithResults(input string, dynamicValues, previous
 	defer conn.Close()
 	_ = conn.SetReadDeadline(time.Now().Add(time.Duration(requestOptions.Options.Timeout) * time.Second))

-	connTLS, ok := conn.(*ztls.Conn)
-	if !ok {
-		return nil
-	}
 	requestOptions.Output.Request(requestOptions.TemplateID, address, request.Type().String(), err)
 	gologger.Verbose().Msgf("Sent SSL request to %s", address)

@ -186,23 +175,47 @@ func (request *Request) ExecuteWithResults(input string, dynamicValues, previous
 		gologger.Debug().Str("address", input).Msgf("[%s] Dumped SSL request for %s", requestOptions.TemplateID, input)
 	}

+	var (
+		tlsData      interface{}
+		certNotAfter int64
+	)
+	if request.options.Options.ZTLS {
+		connTLS, ok := conn.(*ztls.Conn)
+		if !ok {
+			return nil
+		}
 		state := connTLS.ConnectionState()
 		if len(state.PeerCertificates) == 0 {
 			return nil
 		}

-	ztlsData := cryptoutil.ZTLSGrab(connTLS)
-	jsonData, _ := jsoniter.Marshal(ztlsData)
+		tlsData = cryptoutil.ZTLSGrab(connTLS)
+		cert := connTLS.ConnectionState().PeerCertificates[0]
+		certNotAfter = cert.NotAfter.Unix()
+	} else {
+		connTLS, ok := conn.(*tls.Conn)
+		if !ok {
+			return nil
+		}
+		state := connTLS.ConnectionState()
+		if len(state.PeerCertificates) == 0 {
+			return nil
+		}
+		tlsData = cryptoutil.TLSGrab(&state)
+		cert := connTLS.ConnectionState().PeerCertificates[0]
+		certNotAfter = cert.NotAfter.Unix()
+	}
+
+	jsonData, _ := jsoniter.Marshal(tlsData)
 	jsonDataString := string(jsonData)

 	data := make(map[string]interface{})
-	cert := connTLS.ConnectionState().PeerCertificates[0]

 	data["type"] = request.Type().String()
 	data["response"] = jsonDataString
 	data["host"] = input
 	data["matched"] = addressToDial
-	data["not_after"] = float64(cert.NotAfter.Unix())
+	data["not_after"] = float64(certNotAfter)
 	data["ip"] = request.dialer.GetDialedIP(hostname)

 	event := eventcreator.CreateEvent(request, data, requestOptions.Options.Debug || requestOptions.Options.DebugResponse)
--- a/v2/pkg/types/types.go
+++ b/v2/pkg/types/types.go
@ -194,6 +194,8 @@ type Options struct {
 	ClientKeyFile string
 	// ClientCAFile client certificate authority file (PEM-encoded) used for authenticating against scanned hosts
 	ClientCAFile string
+	// Use ZTLS library
+	ZTLS bool
 }

 func (options *Options) AddVarPayload(key string, value interface{}) {