Detecting TLS certificates

TLS certificates are well known from surfing in the world wide web: HTTPS (unlike HTTP) uses a TLS certificate to establish trust to the web site. The trust is based on the certificate of the website digitally signed by a authority and this authority being a trusted by your web browser. Well, the story is a bit more complex of course and involves state-of-the-art cryptography.

Certificates could be expired, invalid or in various ways regarded insecure. With scanning you can find out about such certificates automatically. Now, TLS certificates are not only used for HTTPS and scanning needs to consider further protocols and technologies. Here is a list of protocols supported by Greenbone:

Implicit TLS

“Implicit TLS” services directly accept TLS connections. Essentially this means, the TLS certificate can be extracted regardless of the actual protocol.

Examples are: HTTPS, FTPS, SMTPS

Our scanner identifies the certificates very easily for any such service, naturally.

Explicit / opportunistic TLS

A “explicit TLS” service needs a special protocol command to start the TLS session.
For example some protocols offer the command “STARTTLS” to start into a TLS session and only afterwards the TLS certificates gets available to the client (which is in our case the scanner).

Essentially this means the protocol needs to be explicitly supported by the scanner because it needs to know how to get to the TLS certificate.

Greenbone supports TLS certificate extraction for the following protocols:

  • FTP
  • IRC
  • MySQL
  • POP3
  • SMTP
  • IMAP
  • LDAP
  • NNTP
  • RDP
  • XMPP

TLS certificate extraction

For both of the above cases, the scanner needs to be capable to actually establish a connection to the service and the scanner needs to support the TLS certificate type used by the service. The latter is supported by continuous development and it means you should use the latest releases and and up-to-date feed service when scanning.