ztls fallback support and renegotiation error fix

[tarunKoyalwar]

Proposed Changes

• earlier we tried implementing fallback in add ztls fallback support retryablehttp-go#99 but nuclei uses a custom DialTLSConfig to add/manage client certificates . hence fallback logic is not applied at all now with fastdialer it is preserved and available by default
• adds ztls fallback with chrome ciphers to resolve remote error: tls: insufficient security level nuclei#2805
• when using fastdialer.DialTLS renegotiation was not set which caused local error: tls: no renegotiation nuclei#3553 in nuclei
• updated README about fallback and env variable
• closes fastdialer ztls fallback + bug fix #145

Notes

suggesting deprecating and removing -ztls mode in nuclei . ZTLS currently does not support TLS1.3 as well as Renogotiation. using fastdialer in this PR with nuclei shows using ztls mode by default causes host to skip since it does not support renogotiation

Setup

checkout nuclei from projectdiscovery/nuclei#3909 which contains fastdialer from this PR

using nuclei with ztls mode

$  echo "https://moh.gov.sy" | go run . -v -id tech-detect -nh -ztls

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v2.9.8

		projectdiscovery.io

[INF] Current nuclei version: v2.9.8 (latest)
[INF] Current nuclei-templates version: v9.5.4 (latest)
[INF] New templates added in latest release: 51
[INF] Templates loaded for current scan: 1
[INF] Targets loaded for current scan: 1
[WRN] [tech-detect] Could not execute request for https://moh.gov.sy: GET https://moh.gov.sy giving up after 2 attempts: Get "https://moh.gov.sy": local error: no renegotiation
[INF] No results found. Better luck next time!

using nuclei without ztls mode (i.e implicit ztls fallback)

$ echo "https://moh.gov.sy" | go run . -v -id tech-detect -nh      

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v2.9.8

		projectdiscovery.io

[INF] Current nuclei version: v2.9.8 (latest)
[INF] Current nuclei-templates version: v9.5.4 (latest)
[INF] New templates added in latest release: 51
[INF] Templates loaded for current scan: 1
[INF] Targets loaded for current scan: 1
[VER] [tech-detect] Sent HTTP request to https://moh.gov.sy
[tech-detect:ms-iis] [http] [info] https://moh.gov.sy/
[tech-detect:ms-iis] [http] [info] https://moh.gov.sy/Default.aspx?tabid=704&language=en-US
[tech-detect:ms-iis] [http] [info] https://moh.gov.sy

• unless we have a reason to explicitly keep -ztls flag i think we should remove it since its use cases are covered and sometimes using it causes issues

[tarunKoyalwar]

successful fallback to ztls resolves projectdiscovery/nuclei#2805

$ echo https://217.75.198.227:8443 | go run . -v -id tech-detect -nh                                       130 ↵

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v2.9.8

		projectdiscovery.io


[INF] Current nuclei version: v2.9.8 (latest)
[INF] Current nuclei-templates version: v9.5.4 (latest)
[INF] New templates added in latest release: 51
[INF] Templates loaded for current scan: 1
[INF] Targets loaded for current scan: 1
[VER] [tech-detect] Sent HTTP request to https://217.75.198.227:8443
[INF] No results found. Better luck next time!

[Mzack9999]

lgtm! - Let's also deprecate the -ztls flag both in nuclei and httpx once fastdialer is updated.

[ehsandeep]

🔥