making ssl errors non fatal (#5203)

* making ssl errors non fatal * adding test
2025-12-17 19:45:28 +00:00 · 2024-05-21 18:12:01 +02:00 · 2024-05-21 18:12:01 +02:00 · f6332583b7
commit f6332583b7
parent 7a4969d2a2
3 changed files with 68 additions and 1 deletions
--- a/cmd/integration-test/ssl.go
+++ b/cmd/integration-test/ssl.go
@ -13,6 +13,7 @@ var sslTestcases = []TestCaseInfo{
 	{Path: "protocols/ssl/custom-cipher.yaml", TestCase: &sslCustomCipher{}},
 	{Path: "protocols/ssl/custom-version.yaml", TestCase: &sslCustomVersion{}},
 	{Path: "protocols/ssl/ssl-with-vars.yaml", TestCase: &sslWithVars{}},
+	{Path: "protocols/ssl/multi-req.yaml", TestCase: &sslMultiReq{}},
 }

 type sslBasic struct{}
@ -118,3 +119,23 @@ func (h *sslWithVars) Execute(filePath string) error {

 	return expectResultsCount(results, 1)
 }
+
+type sslMultiReq struct{}
+
+func (h *sslMultiReq) Execute(filePath string) error {
+	ts := testutils.NewTCPServer(&tls.Config{}, defaultStaticPort, func(conn net.Conn) {
+		defer conn.Close()
+		data := make([]byte, 4)
+		if _, err := conn.Read(data); err != nil {
+			return
+		}
+	})
+	defer ts.Close()
+
+	results, err := testutils.RunNucleiTemplateAndGetResults(filePath, ts.URL, debug, "-V")
+	if err != nil {
+		return err
+	}
+
+	return expectResultsCount(results, 2)
+}
--- a/integration_tests/protocols/ssl/multi-req.yaml
+++ b/integration_tests/protocols/ssl/multi-req.yaml
@ -0,0 +1,34 @@
+id: multi-req
+
+info:
+  name: Multi-Request
+  author: pdteam
+  severity: info
+
+ssl:
+  - address: "{{Host}}:{{Port}}"
+    min_version: ssl30
+    max_version: ssl30
+
+    extractors:
+      - type: json
+        json:
+          - " .tls_version"
+
+  - address: "{{Host}}:{{Port}}"
+    min_version: tls10
+    max_version: tls10
+
+    extractors:
+      - type: json
+        json:
+          - " .tls_version"
+
+  - address: "{{Host}}:{{Port}}"
+    min_version: tls11
+    max_version: tls11
+
+    extractors:
+      - type: json
+        json:
+          - " .tls_version"
--- a/pkg/tmplexec/multiproto/multi.go
+++ b/pkg/tmplexec/multiproto/multi.go
@ -8,6 +8,8 @@ import (
 	"github.com/projectdiscovery/nuclei/v3/pkg/protocols"
 	"github.com/projectdiscovery/nuclei/v3/pkg/protocols/common/generators"
 	"github.com/projectdiscovery/nuclei/v3/pkg/scan"
+	"github.com/projectdiscovery/nuclei/v3/pkg/templates/types"
+	stringsutil "github.com/projectdiscovery/utils/strings"
 )

 // Mutliprotocol is a template executer engine that executes multiple protocols
@ -110,9 +112,19 @@ func (m *MultiProtocol) ExecuteWithResults(ctx *scan.ScanContext) error {

 		values := m.options.GetTemplateCtx(ctx.Input.MetaInput).GetAll()
 		err := req.ExecuteWithResults(ctx.Input, output.InternalEvent(values), nil, multiProtoCallback)
-		// if error skip execution of next protocols
+		// in case of fatal error skip execution of next protocols
 		if err != nil {
+			// always log errors
 			ctx.LogError(err)
+
+			// for some classes of protocols (i.e ssl) errors like tls handshake are a legitimate behavior so we don't stop execution
+			// connection failures are already tracked by the internal host error cache
+			// we use strings comparison as the error is not formalized into instance within the standard library
+			// within a flow instead we consider ssl errors as fatal, since a specific logic was requested
+			if req.Type() == types.SSLProtocol && stringsutil.ContainsAnyI(err.Error(), "protocol version not supported", "could not do tls handshake") {
+				continue
+			}
+
 			return err
 		}
 	}