Add HTTP TLS peer cert tracing via CertificateTrace (Phase 1)#21599
Add HTTP TLS peer cert tracing via CertificateTrace (Phase 1)#21599Pushpenderrathore wants to merge 5 commits into
Conversation
Introduces Msf::Exploit::Remote::SslPeerCertTrace with an SSLPeerCertTrace enum datastore option (off/metadata/full). HttpClient includes the mixin and calls ssl_peer_cert_trace after each send_recv; the helper reads conn.peer_cert, deduplicates per host:port, and formats the server certificate through the existing CertificateTracePresenter.
Removes the standalone SSLPeerCertTrace mixin and SSLPeerCertTrace datastore option. Peer SSL certificate tracing now lives in CertificateTrace as #certificate_peer_cert_trace, reusing the existing CertificateTrace enum and CertificateTraceColors option so all cert output (issued, CSR, peer) is controlled by a single operator-facing option. Deduplication now uses the database when active (ssl.peer_cert_seen note per host:port, update: :unique) so the same server certificate is not reprinted across module runs. Falls back to in-memory dedup when no DB is connected. HttpClient is updated to include CertificateTrace instead of SslPeerCertTrace and calls certificate_peer_cert_trace after send_recv. The ssl_peer_cert_trace mixin file and its spec are removed; the 20 new peer cert examples are added to certificate_trace_spec.rb (46 examples, 0 failures).
certificate_trace already tested the invalid-cert no-raise case; add the same coverage for certificate_peer_cert_trace.
Resolve conflicts from the merged CSR trace work (rapid7#21580): - certificate_trace.rb: keep both certificate_peer_cert_trace and certificate_csr_trace as sibling methods - certificate_trace_spec.rb: keep both describe blocks as siblings Presenter takes master's trace_separator version; peer cert method uses it transparently via the presenter public API.
|
Rebased/merged latest master and resolved the conflicts. The conflicts were both-add collisions with the CSR trace work (#21580) that landed on master after this branch was cut. Both PRs inserted a new method into Resolution:
Spec passes locally: 52 examples, 0 failures. Branch is now mergeable. |
Addresses review feedback that a server's TLS peer certificate printed under the same '[CertificateTrace] x.509' header as an issued/client certificate, making the two indistinguishable. Add an optional label: keyword to CertificateTracePresenter#to_s_metadata and #to_s_full (default 'x.509', backward compatible). certificate_peer_cert_trace now renders peer certs under a 'Peer Cert' header. Issued-cert and CSR output are unchanged.
|
Addressed the peer-cert labeling feedback: a server's TLS peer certificate was printing under the same Added an optional Verified live with Only the header line differs from an issued or client cert ( |
Summary
Extends
CertificateTrace(the existing mixin for issued cert and CSR tracing) to also surface the server's TLS peer certificate when an HTTP module connects over HTTPS. No new operator-facing option is introduced -- operators use the sameCertificateTraceenum (off/metadata/full) they already know.Key design points:
#certificate_peer_cert_trace(cert, host, port)added toMsf::Exploit::Remote::CertificateTraceHttpClientcalls it aftersend_recvwhen a raw peer cert is availablessl.peer_cert_seennote,update: :unique) with in-memory@_peer_cert_seenfallback when no DBpeer_cert) are silently ignoredSslPeerCertTracemixin and itsSSLPeerCertTracedatastore optionTest plan
Rebased onto latest master; the conflicts with the merged CSR trace work (#21580) were resolved (both
certificate_peer_cert_traceandcertificate_csr_tracekept as sibling methods). All checks below re-run after the merge.Peer cert labeling: peer certs now print under a
Peer Certheader (alabel:keyword was added toCertificateTracePresenter#to_s_metadata/#to_s_full, defaultx.509), so a server's TLS certificate is no longer visually indistinguishable from an issued/client certificate. Issued-cert (x.509) and CSR output are unchanged.Unit specs (this branch, post-merge):
bundle exec rspec spec/lib/msf/core/exploit/remote/certificate_trace_spec.rb- 54 examples, 0 failuresLive test - HTTP peer cert trace against a real HTTPS server (
auxiliary/scanner/http/http_versionvsexample.com:443,CertificateTrace=full):ssl.peer_cert_seennote when a database is connected, in-memory fallback otherwise).Phasing
This PR covers HTTP only (Phase 1). Follow-up PR covers LDAP over TLS and RDP (Phase 2), with Postgres and SMB over TLS pending TLS support in those mixins.
Depends on: #21198 (already merged)