Return all the TLS handshake details we have even if handshake fails (#613)

phillip-stephens · web-flow · commit fcccf0cb3883 · 2025-09-22T15:47:01.000-07:00
* return TLS connection info even on handshake error. Fixes a regression introduced in 336455 and reported in issue 582

* Remove a todo
diff --git a/modules/tls.go b/modules/tls.go
@@ -3,7 +3,6 @@ package modules
 import (
 	"context"
 	"errors"
-	"fmt"
 
 	log "github.com/sirupsen/logrus"
 
@@ -85,22 +84,30 @@ func (s *TLSScanner) InitPerSender(senderID int) error {
 // heartbleed, if enabled).
 func (s *TLSScanner) Scan(ctx context.Context, dialerGroup *zgrab2.DialerGroup, target *zgrab2.ScanTarget) (zgrab2.ScanStatus, any, error) {
 	conn, err := dialerGroup.Dial(ctx, target)
+	if conn != nil {
+		defer zgrab2.CloseConnAndHandleError(conn)
+	}
 	if err != nil {
-		return zgrab2.TryGetScanStatus(err), nil, fmt.Errorf("failed to dial target %s: %w", target.String(), err)
+		// Even on an error, we want to give the TLS Log if we have it.
+		if conn != nil {
+			if tlsConn, ok := conn.(*zgrab2.TLSConnection); ok {
+				if tlsLog := tlsConn.GetLog(); tlsLog != nil {
+					if tlsLog.HandshakeLog.ServerHello != nil {
+						// If we got far enough to get a valid ServerHello, then
+						// consider it to be a positive TLS detection.
+						return zgrab2.TryGetScanStatus(err), tlsLog, err
+					}
+					// Otherwise, detection failed.
+				}
+			}
+		}
+		return zgrab2.TryGetScanStatus(err), nil, err
 	}
-	defer zgrab2.CloseConnAndHandleError(conn)
 	tlsConn, ok := conn.(*zgrab2.TLSConnection)
 	if !ok {
-		return zgrab2.SCAN_INVALID_INPUTS, nil, errors.New("tls scanner requires a default dialer that creates TLS connections")
-	}
-	tlsLog := tlsConn.GetLog()
-	if tlsLog != nil && tlsLog.HandshakeLog.ServerHello != nil {
-		// If we got far enough to get a valid ServerHello, then
-		// consider it to be a positive TLS detection.
-		return zgrab2.SCAN_SUCCESS, tlsLog, nil
+		return zgrab2.SCAN_UNKNOWN_ERROR, nil, errors.New("scan returned non-TLS connection")
 	}
-	// Otherwise detection failed
-	return zgrab2.SCAN_HANDSHAKE_ERROR, nil, errors.New("tls handshake failed")
+	return zgrab2.SCAN_SUCCESS, tlsConn.GetLog(), nil
 }
 
 // Protocol returns the protocol identifer for the scanner.
diff --git a/processing.go b/processing.go
@@ -139,8 +139,12 @@ func GetDefaultTLSWrapper(tlsFlags *TLSFlags) func(ctx context.Context, t *ScanT
 			flags: tlsFlags,
 		}
 		err = tlsConn.Handshake()
-		if err != nil {
+		if err != nil && tlsConn.log == nil {
+			// If the handshake fails and we have no log, just return error
 			return nil, fmt.Errorf("could not perform tls handshake for target %s: %w", t.String(), err)
+		} else if err != nil {
+			// We'll return both the error and the connection so ZGrab can return the handshake log
+			return &tlsConn, fmt.Errorf("could not successfully complete tls handshake for target %s: %w", t.String(), err)
 		}
 		return &tlsConn, err
 	}

Original file line number	Diff line number	Diff line change
`@@ -139,8 +139,12 @@ func GetDefaultTLSWrapper(tlsFlags TLSFlags) func(ctx context.Context, t ScanT`
`139`	`139`	`flags: tlsFlags,`
`140`	`140`	`}`
`141`	`141`	`err = tlsConn.Handshake()`
`142`		`- if err != nil {`
	`142`	`+ if err != nil && tlsConn.log == nil {`
	`143`	`+ // If the handshake fails and we have no log, just return error`
`143`	`144`	`return nil, fmt.Errorf("could not perform tls handshake for target %s: %w", t.String(), err)`
	`145`	`+ } else if err != nil {`
	`146`	`+ // We'll return both the error and the connection so ZGrab can return the handshake log`
	`147`	`+ return &tlsConn, fmt.Errorf("could not successfully complete tls handshake for target %s: %w", t.String(), err)`
`144`	`148`	`}`
`145`	`149`	`return &tlsConn, err`
`146`	`150`	`}`