Bug 2180330

Summary: Rebase nmap for TLS v1.3 support
Product: Red Hat Enterprise Linux 9 Reporter: Martin Osvald 🛹 <mosvald>
Component: nmapAssignee: Martin Osvald 🛹 <mosvald>
Status: VERIFIED --- QA Contact: František Hrdina <fhrdina>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.1CC: fhrdina
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nmap-7.92-1.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2169766    

Description Martin Osvald 🛹 2023-03-21 08:13:56 UTC
This bug was initially created as a copy of Bug #2169766

I am copying this bug because: 

This needs to be fixed in RHEL9 first before it can be fixed in RHEL8.
 

Description of problem:
nmap shipped in RHEL 8 and 9 does not properly detect TLS 1.3 ciphers

Version-Release number of selected component (if applicable):
nmap-7.70-8.e8
nmap-7.91-10.el9

How reproducible:
Always

Steps to Reproduce:
1. Start http server with TLS v1.3 support enabled
2. run nmap against it


Actual results:
nmap does not specify TLS 1.3 support

Expected results:
nmap properly identifies TLS 1.3 ciphers on host

Additional info:
Comparison between openssl and nmap
 

Using openssl:

openssl s_client -connect 10.0.0.1:21 -starttls ftp -tls1_3
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Organization Validation Secure Server CA
verify return:1
depth=0 C = US, ST = North Carolina, O = "Red Hat, Inc.", CN = foo.example.com
verify return:1
.
.
.
Requested Signature Algorithms: Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:0x1A+0x08:0x1B+0x08:0x1C+0x08:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA1:RSA+SHA1
Shared Requested Signature Algorithms: Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 21876 bytes and written 337 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
220 10.0.0.1 FTP server 5.5-20230126 ready.
 

Using nmap:

Starting Nmap 7.70 ( https://nmap.org ) at 2023-02-13 14:27 EST
Nmap scan report for foo.example.com (10.0.0.1)
Host is up (0.030s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp
| fingerprint-strings:
|   GenericLines:
|     220 10.0.0.1 FTP server 5.5-20230126 ready.
|   Help:
|     220 10.0.0.1 FTP server 5.5-20230126 ready.
|     mandatory.
|   NULL, SMBProgNeg:
|     220 10.0.0.1 FTP server 5.5-20230126 ready.
|   SSLSessionReq:
|     220 10.0.0.1 FTP server 5.5-20230126 ready.
|_    Invalid character in command
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.31 seconds