Fix + Optimizing TLS detection via half-handshake

[Mzack9999]

Closes #1572

Summary by CodeRabbit

• New Features

  • Added automatic TLS detection for TCP connections during scans. Detection is disabled by default and can be enabled via environment configuration; results are recorded per connection.

• Chores

  • Updated several internal library dependencies to newer patch versions.

[coderabbitai]

Walkthrough

Adds an optional, environment-controlled TLS detection step to TCP connect scans: when ENABLE_TLS_DETECTION is true, the scanner invokes netutil.DetectTLS after connection and records the result in the port's TLS field. Also updates go module dependency versions.

Changes

Cohort / File(s)	Change Summary
TLS detection integration pkg/scan/scan.go	Added imports (envutil, netutil), introduced exported EnableTLSDetection (initialized from ENABLE_TLS_DETECTION, default false), and updated TCP connect flow to call netutil.DetectTLS when enabled and assign p.TLS. Minor formatting adjustments.
Dependencies go.mod	Bumped module dependency versions: retryablehttp-go v1.0.129 → v1.0.130, utils v0.6.0 → v0.6.1-...ef99769ae3cb, fastdialer v0.4.14 → v0.4.15.

Sequence Diagram(s)

sequenceDiagram
    participant Scanner
    participant Connector
    participant Target
    participant TLSDetector

    Scanner->>Connector: ConnectPort(host, port, protocol)
    Connector->>Target: TCP connect (establish socket)
    Target-->>Connector: TCP connection established

    alt ENABLE_TLS_DETECTION = true and protocol == tcp
        Connector->>TLSDetector: netutil.DetectTLS(conn)
        TLSDetector->>Target: send ClientHello (non-blocking/minimal)
        alt TLS supported
            Target-->>TLSDetector: ServerHello/response
            TLSDetector->>Connector: return true
            Connector->>Scanner: Port.TLS = true
        else TLS not supported
            Target-->>TLSDetector: reset/no TLS response
            TLSDetector->>Connector: return false
            Connector->>Scanner: Port.TLS = false
        end
    else TLS detection disabled or non-TCP
        Connector->>Scanner: Port.TLS = false (unchanged)
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Review focus:
  • Correct environment loading and default for EnableTLSDetection.
  • Proper invocation and error handling around netutil.DetectTLS (connection reuse/close).
  • Ensure TLS flag assignment (p.TLS) is thread-safe in concurrent scans if applicable.

Poem

🐰 In burrows where the packets creep,
I listen for the handshake's leap.
A gentle ClientHello I send,
If ServerHello replies—TLS, my friend.
Hooray, the rabbit hops again! 🥕🔐

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title directly addresses the main objective: implementing TLS detection via half-handshake as shown in the code changes adding TLS detection logic.
Linked Issues check	✅ Passed	The code changes implement TLS detection for TCP ports by adding an EnableTLSDetection flag and calling netutil.DetectTLS, directly addressing issue #1572's requirement to detect TLS support.
Out of Scope Changes check	✅ Passed	All changes are scoped to TLS detection implementation: adding necessary imports, introducing a configuration flag, integrating TLS detection logic, and updating dependencies to support the new functionality.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bugfix-tls-detection

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b64b508 and 3fb4e42.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• go.mod (2 hunks)
• pkg/scan/scan.go (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/scan/scan.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: build-mac
• GitHub Check: Lint Test
• GitHub Check: release-test-windows
• GitHub Check: release-test-linux
• GitHub Check: release-test-mac
• GitHub Check: build-linux
• GitHub Check: build-windows
• GitHub Check: Functional Test (ubuntu-latest)
• GitHub Check: Analyze (go)

🔇 Additional comments (1)

go.mod (1)

25-25: Verify the new/updated dependencies and their versions.

Three dependencies are bumped: retryablehttp-go (patch), utils (minor with development version), and fastdialer (patch). The utils dependency uses an unusual pre-release format (v0.6.1-0.20251108140049-ef99769ae3cb) that appears to be a development or commit-based build rather than a tagged release.

Additionally, the actual code changes in pkg/scan/scan.go (which imports and uses these dependencies per the AI summary) are not included in this review, so I cannot verify that:

1. These specific versions are necessary for the TLS detection feature
2. The APIs being called have not changed between versions
3. No breaking changes were introduced

Can you confirm:

• Why the utils package is pinned to a development version instead of a tagged release? Is this intentional?
• How these dependency updates relate to the TLS detection implementation (i.e., which parts of the feature depend on them)?

Once I see the code in pkg/scan/scan.go, I can verify that the new dependencies are properly integrated.

Also applies to: 27-27, 93-93

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d094eb4 and b64b508.

📒 Files selected for processing (1)

• pkg/scan/scan.go (5 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

pkg/scan/scan.go (1)

pkg/protocol/protocol.go (1)

• TCP (10-10)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Don’t mutate the shared *port.Port when tagging TLS.

Scanner.Ports stores canonical *port.Port values that are reused for every host (see Line 86 and the reuse in the enqueue loops). Multiple goroutines run ConnectPort concurrently, so writing p.TLS = … here introduces a data race. Even worse, ScanResults.AddPort later keeps the same pointer, so a TLS value computed for host A will be overwritten by host B and host A’s result flips retroactively. Please keep the TLS bit host-scoped instead (e.g., copy the struct before tagging or pass the bool alongside the result) and avoid mutating the shared definition.

🤖 Prompt for AI Agents

In pkg/scan/scan.go around lines 585 to 588, the code mutates the shared
*port.Port by setting p.TLS = detectTLS(...), which causes data races and
incorrect cross-host TLS tagging because Scanner.Ports holds canonical pointers
reused across goroutines; instead, do not modify the shared pointer — either
make a local copy of the port struct (value copy) and set the TLS field on that
copy before adding it to host-scoped results, or change the result path to carry
the TLS bool alongside the existing *port.Port (e.g., AddPort(port *port.Port,
tls bool) or enqueue a portValue struct), ensure DetectTLS is called per-host
and its bool kept host-scoped, and update ScanResults.AddPort and any callers to
accept the copy or the additional bool so the shared Scanner.Ports entries
remain immutable.

[dwisiswant0]

and I think it makes sense to move this into httpx so other parts can reuse it easily.