The current implementation of ssl_version does just about nothing unfortunately. I think it was put together in haste to scan for POODLE, but time has not been kind to it.

it does a fingerprint thing which i still don't understand what the intention was, or how it worked
it only claimed poodle was there if you set it to SSLv3 specifically, w/o actually checking anything
it used HTTPS and was in the http folder, but SSL should be done independently.
it didn't do anything about ciphers
it didn't store or process the SSL certificate it was given
it didn't give any feedback

Example run pre-improvements against a piece of networking equipment i own.

msf6 auxiliary(scanner/http/ssl_version) > set rhosts 2.2.2.2
rhosts => 2.2.2.2
msf6 auxiliary(scanner/http/ssl_version) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Less than stellar. Maybe verbose?

msf6 auxiliary(scanner/http/ssl_version) > set verbose true
verbose => true
msf6 auxiliary(scanner/http/ssl_version) > run

[*] 2.2.2.2:443       connected and fingerprinted: 
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

...great...

so what improvements have we made?

moved this module to the ssl folder instead of http folder
combined the ssl.rb functionality as it just grabbed the cert and processed it... no need to do things twice.
fixed the CA Issuers logic so it works again
Fixed a lot of logic on picking SSL Versions and the cipher suites accepted by them. You seem some ugly array processing and such to do this, it seems the logic in rex/socket/ssl_tcp.rb isn't as sound (just because a cipher exists, doesn't mean its valid for a version of ssl protocol).
put all the checks into one function so they aren't everywhere and attempted to pull correct references for them.
added checks for Deprecated protocols, expired/not valid certs, low key strength, Null cipher suites, certificates signed with MD5, DROWN, RC4 ciphers, exportable ciphers, LOGJAM, and BEAST.
made the printing not awful, but still not great
attempted to build in logic to bail early if a ssl protocol wasn't accepted by the server
general user feedback so you know whats going on.

What a run looks like now against the same equipment.

[+] 2.2.2.2:443       - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384
[+] 2.2.2.2:443       - Certificate saved to loot: /root/.msf4/loot/20221016190541_default_2.2.2.2_ssl.certificate_643078.txt
[*] 2.2.2.2:443       - Certificate Information:
[*] 2.2.2.2:443       -     Subject: /CN=example
[*] 2.2.2.2:443       -     Issuer: /CN=example
[*] 2.2.2.2:443       -     Signature Alg: sha256WithRSAEncryption
[*] 2.2.2.2:443       -     Public Key Size: 2048 bits
[*] 2.2.2.2:443       -     Not Valid Before: 2021-03-06 15:39:01 UTC
[*] 2.2.2.2:443       -     Not Valid After: 2023-06-09 15:39:01 UTC
[+] 2.2.2.2:443       -     Certificate contains no CA Issuers extension... possible self signed certificate
[+] 2.2.2.2:443       -     Certificate Subject and Issuer match... possible self signed certificate
[*] 2.2.2.2:443       -     Has common name example
[+] 2.2.2.2:443       - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-CHACHA20-POLY1305
[+] 2.2.2.2:443       - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256
[+] 2.2.2.2:443       - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384
[+] 2.2.2.2:443       - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-SHA256
[+] 2.2.2.2:443       - Connected with SSL Version: TLSv1.2, Cipher: AES256-GCM-SHA384
[+] 2.2.2.2:443       - Connected with SSL Version: TLSv1.2, Cipher: AES128-GCM-SHA256
[+] 2.2.2.2:443       - Connected with SSL Version: TLSv1.2, Cipher: AES256-SHA256
[+] 2.2.2.2:443       - Connected with SSL Version: TLSv1.2, Cipher: AES128-SHA256
[*] 2.2.2.2:443       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

good, clean concise. Make it verbose to see all the things we actually tried.

msf6 auxiliary(scanner/ssl/ssl_version) > set verbose true
verbose => true
msf6 auxiliary(scanner/ssl/ssl_version) > run

[*] 2.2.2.2:443       - Scanning 2.2.2.2 for: SSLv3, TLSv1.0, TLSv1.2, TLSv1.3
[*] 2.2.2.2:443       - Scanning 2.2.2.2 SSLv3 with ciphers: DHE-RSA-AES256-SHA, DHE-RSA-AES128-SHA, SRP-RSA-AES-256-CBC-SHA, SRP-AES-256-CBC-SHA, RSA-PSK-AES256-CBC-SHA, DHE-PSK-AES256-CBC-SHA, AES256-SHA, PSK-AES256-CBC-SHA, SRP-RSA-AES-128-CBC-SHA, SRP-AES-128-CBC-SHA, RSA-PSK-AES128-CBC-SHA, DHE-PSK-AES128-CBC-SHA, AES128-SHA, PSK-AES128-CBC-SHA
[*] 2.2.2.2:443       - Attempting connection with SSL Version: SSLv3, Cipher: DHE-RSA-AES256-SHA
[-] 2.2.2.2:443       -     Doesn't accept SSLv3 connections, Skipping
[*] 2.2.2.2:443       - Scanning 2.2.2.2 TLSv1.0 with ciphers: ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES256-SHA, ECDHE-ECDSA-AES128-SHA, ECDHE-RSA-AES128-SHA, ECDHE-PSK-AES256-CBC-SHA384, ECDHE-PSK-AES256-CBC-SHA, RSA-PSK-AES256-CBC-SHA384, DHE-PSK-AES256-CBC-SHA384, PSK-AES256-CBC-SHA384, ECDHE-PSK-AES128-CBC-SHA256, ECDHE-PSK-AES128-CBC-SHA, RSA-PSK-AES128-CBC-SHA256, DHE-PSK-AES128-CBC-SHA256, PSK-AES128-CBC-SHA256
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.0, Cipher: ECDHE-ECDSA-AES256-SHA
[-] 2.2.2.2:443       -     This version of Ruby does not support the requested SSL/TLS version TLSv1_0, Skipping
[*] 2.2.2.2:443       - Scanning 2.2.2.2 TLSv1.2 with ciphers: ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, DHE-RSA-CHACHA20-POLY1305, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA384, DHE-RSA-AES256-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA256, DHE-RSA-AES128-SHA256, RSA-PSK-AES256-GCM-SHA384, DHE-PSK-AES256-GCM-SHA384, RSA-PSK-CHACHA20-POLY1305, DHE-PSK-CHACHA20-POLY1305, ECDHE-PSK-CHACHA20-POLY1305, AES256-GCM-SHA384, PSK-AES256-GCM-SHA384, PSK-CHACHA20-POLY1305, RSA-PSK-AES128-GCM-SHA256, DHE-PSK-AES128-GCM-SHA256, AES128-GCM-SHA256, PSK-AES128-GCM-SHA256, AES256-SHA256, AES128-SHA256
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384
[-] 2.2.2.2:443       -     Does not accept TLSv1.2, error message: error: sslv3 alert handshake failure
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384
[+] 2.2.2.2:443       - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384
[+] 2.2.2.2:443       - Certificate saved to loot: /home/h00die/.msf4/loot/20221016190643_default_2.2.2.2_ssl.certificate_075898.txt
[*] 2.2.2.2:443       - Certificate Information:
[*] 2.2.2.2:443       -     Subject: /CN=example
[*] 2.2.2.2:443       -     Issuer: /CN=example
[*] 2.2.2.2:443       -     Signature Alg: sha256WithRSAEncryption
[*] 2.2.2.2:443       -     Public Key Size: 2048 bits
[*] 2.2.2.2:443       -     Not Valid Before: 2021-03-06 15:39:01 UTC
[*] 2.2.2.2:443       -     Not Valid After: 2023-06-09 15:39:01 UTC
[+] 2.2.2.2:443       -     Certificate contains no CA Issuers extension... possible self signed certificate
[+] 2.2.2.2:443       -     Certificate Subject and Issuer match... possible self signed certificate
[*] 2.2.2.2:443       -     Has common name example
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: DHE-RSA-AES256-GCM-SHA384
[-] 2.2.2.2:443       -     Does not accept TLSv1.2, error message: error: sslv3 alert handshake failure
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: ECDHE-ECDSA-CHACHA20-POLY1305
[-] 2.2.2.2:443       -     Does not accept TLSv1.2, error message: error: sslv3 alert handshake failure
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-CHACHA20-POLY1305
[+] 2.2.2.2:443       - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-CHACHA20-POLY1305
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: DHE-RSA-CHACHA20-POLY1305
[-] 2.2.2.2:443       -     Does not accept TLSv1.2, error message: error: sslv3 alert handshake failure
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: ECDHE-ECDSA-AES128-GCM-SHA256
[-] 2.2.2.2:443       -     Does not accept TLSv1.2, error message: error: sslv3 alert handshake failure
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256
[+] 2.2.2.2:443       - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: DHE-RSA-AES128-GCM-SHA256
[-] 2.2.2.2:443       -     Does not accept TLSv1.2, error message: error: sslv3 alert handshake failure
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: ECDHE-ECDSA-AES256-SHA384
[-] 2.2.2.2:443       -     Does not accept TLSv1.2, error message: error: sslv3 alert handshake failure
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384
[+] 2.2.2.2:443       - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: DHE-RSA-AES256-SHA256
[-] 2.2.2.2:443       -     Does not accept TLSv1.2, error message: error: sslv3 alert handshake failure
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: ECDHE-ECDSA-AES128-SHA256
[-] 2.2.2.2:443       -     Does not accept TLSv1.2, error message: error: sslv3 alert handshake failure
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-SHA256
[+] 2.2.2.2:443       - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-SHA256
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: DHE-RSA-AES128-SHA256
[-] 2.2.2.2:443       -     Does not accept TLSv1.2, error message: error: sslv3 alert handshake failure
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: RSA-PSK-AES256-GCM-SHA384
[-] 2.2.2.2:443       -     Does not accept TLSv1.2, error message: error: no ciphers available
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: DHE-PSK-AES256-GCM-SHA384
[-] 2.2.2.2:443       -     Does not accept TLSv1.2, error message: error: no ciphers available
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: RSA-PSK-CHACHA20-POLY1305
[-] 2.2.2.2:443       -     Does not accept TLSv1.2, error message: error: no ciphers available
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: DHE-PSK-CHACHA20-POLY1305
[-] 2.2.2.2:443       -     Does not accept TLSv1.2, error message: error: no ciphers available
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: ECDHE-PSK-CHACHA20-POLY1305
[-] 2.2.2.2:443       -     Does not accept TLSv1.2, error message: error: no ciphers available
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: AES256-GCM-SHA384
[+] 2.2.2.2:443       - Connected with SSL Version: TLSv1.2, Cipher: AES256-GCM-SHA384
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: PSK-AES256-GCM-SHA384
[-] 2.2.2.2:443       -     Does not accept TLSv1.2, error message: error: no ciphers available
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: PSK-CHACHA20-POLY1305
[-] 2.2.2.2:443       -     Does not accept TLSv1.2, error message: error: no ciphers available
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: RSA-PSK-AES128-GCM-SHA256
[-] 2.2.2.2:443       -     Does not accept TLSv1.2, error message: error: no ciphers available
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: DHE-PSK-AES128-GCM-SHA256
[-] 2.2.2.2:443       -     Does not accept TLSv1.2, error message: error: no ciphers available
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: AES128-GCM-SHA256
[+] 2.2.2.2:443       - Connected with SSL Version: TLSv1.2, Cipher: AES128-GCM-SHA256
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: PSK-AES128-GCM-SHA256
[-] 2.2.2.2:443       -     Does not accept TLSv1.2, error message: error: no ciphers available
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: AES256-SHA256
[+] 2.2.2.2:443       - Connected with SSL Version: TLSv1.2, Cipher: AES256-SHA256
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.2, Cipher: AES128-SHA256
[+] 2.2.2.2:443       - Connected with SSL Version: TLSv1.2, Cipher: AES128-SHA256
[*] 2.2.2.2:443       - Scanning 2.2.2.2 TLSv1.3 with ciphers: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256
[*] 2.2.2.2:443       - Attempting connection with SSL Version: TLSv1.3, Cipher: TLS_AES_256_GCM_SHA384
[-] 2.2.2.2:443       -     This version of Ruby does not support the requested SSL/TLS version TLSv1_3, Skipping
[*] 2.2.2.2:443       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Testing

Do: use auxiliary/scanner/ssl/ssl_version
Do: set RHOSTS [IP]
Do: set THREADS [num of threads]
Do: run

Oct 16 '22 23:10 h00die

Going to upload some changes so long, these were just some adjustments I found whilst reviewing that I didn't think quite deserved a review comment. Mostly minor fixes though I did also add in some comment level documentation of some of your functions to explain what they are doing, mostly cause I found myself doing the same as I was reviewing and thought it might be helpful for others.

I'm also removing modules/auxiliary/scanner/http/ssl.rb given that we now redirect:

msf6 > use auxiliary/scanner/http/ssl

[!] *                 The module auxiliary/scanner/http/ssl has been moved!                  *
[!] *                    You are using auxiliary/scanner/ssl/ssl_version                     *
msf6 auxiliary(scanner/http/ssl) > use auxiliary/scanner/http/ssl_version

[!] *             The module auxiliary/scanner/http/ssl_version has been moved!              *
[!] *                    You are using auxiliary/scanner/ssl/ssl_version                     *
msf6 auxiliary(scanner/http/ssl_version) >

Oct 18 '22 14:10 gwillcox-r7

still need to look into the CA Issuers - URI stuff, but throwing up this commit that fixes everything else. @gwillcox-r7 let me know if that first comment in get_metasploit_ssl_versions makes more sense now.

Oct 23 '22 23:10 h00die

still need to look into the CA Issuers - URI stuff, but throwing up this commit that fixes everything else. @gwillcox-r7 let me know if that first comment in get_metasploit_ssl_versions makes more sense now.

Explanation is a lot clearer, left some comments on some ideas for making the transitions between points smoother but detail is on point now, much appreciated ❤️

Oct 24 '22 21:10 gwillcox-r7

@msjenkins-r7 test this please.

Oct 31 '22 20:10 gwillcox-r7

Rebased since for some reason there is a small possibility our tests may be failing if we don't rebase against the latest changes. Also a minor update to RuboCop so that we actually pass the RuboCop tests and then squashing of some commits.

Nov 01 '22 03:11 gwillcox-r7

a6323a473556fd4a8ae4c3ca602705a7c83ec3d5 is a ninja commit fix to the documentation to update the examples so that they are in line with recent code changes.

Nov 07 '22 22:11 gwillcox-r7

Release Notes

A new module modules/auxiliary/scanner/ssl/ssl_version.rb has been released which replaces the old SSL scanners and offers improved features such as SSL cipher suite checking, improvements to CA Issuers logic, support for expired certs and deprecated protocols, and better error handling.

Nov 07 '22 22:11 gwillcox-r7

for any future travelers, more info on snakeoil: it seems to be mentioned in at least apache documentation https://github.com/apache/httpd/blob/bc06af47216919a048a15f90d0ae5c2983800710/docs/manual/ssl/ssl_howto.html.en.utf8 (as one example, there are more in there)

Dec 30 '22 13:12 h00die

Update ssl_version module to be useful

Testing

Release Notes