Support for sending a client certificate in connect mode using SSL with Ncat.

[venkat sanaka <venkatsanaka () gmail com>]

Hi everyone

I added a new feature for Ncat's ssl support in connect mode so that now
it can send a certificate to ssl server which uses it for client
authentication using
--ssl-cert and --ssl-key options.In this mail i am going to explain this new
feature
with an example and also give instructions for setting up the webserver for
testing.

You know that Ncat supports SSL in  Connect mode to act as ssl client
providing
options like --ssl-verify(server's certificate verification) and
--ssl-trustfile to specify
list of trusted certificates etc;

Some of these options are implemented by David last month and he also
explained
how to use them in this mail  http://seclists.org/nmap-dev/2009/q2/0183.html
You can also find the new feature i added now is one of the ideas for more
improvements
in that mail and as mentioned by David some servers request client's
certificates for
authentication which is the reverse of most general case in which client
authenticates
server for ssl connection to establish.

For more details on how to use Ncat's ssl support,please read the Ncat
Users' Guide here
http://nmap.org/ncat/guide/ncat-ssl.html

The command for using this feature is:
ncat --ssl --ssl-cert <clientcert.pem> --ssl-key <clientkey.pem> server port

Notes:
*The usage of other connect mode options remains the same.
*The specified client certificate is used(sent) only when it is requested by
the ssl server otherwise not.

Example & Testing:
For testing purpose i configured a apache webserver with mod_ssl support and

client authentication enabled.

These sites explain how it can be configured:
http://www.flatmtn.com/article/setting-ssl-certificates-apache
http://www.securityfocus.com/infocus/1823
or google apache ssl support for your own distro :).
It basically involves few changes in the the config file.

*List of trusted CAs and components of certificates which are to be verified

 for access control are also specified in this config file.
 Part of my config file which does these.
.................................................
#Certificate Authority (CA):
#List of trusted CAs
    SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

#Client Authentication (Type):
#Client certificate verification type and depth.
#This enables Client authentication.
    SSLVerifyClient require
    SSLVerifyDepth  1

#   Access Control:
    #   With SSLRequire you can do per-directory access control based
    #   on arbitrary complex boolean expressions containing server
    #   variable checks and other lookup directives.  The syntax is a
    #   mixture between C and Perl.  See the mod_ssl documentation
    #   for more details.
        <Location / >
        SSLRequireSSL
        SSLRequire (%{SSL_CLIENT_S_DN_O} eq "Nmap")
       </Location>
     #Here Organization(O) component of client certificate is verified for
"Nmap".


.......................................................
This makes apache to act as a https server on default port 443.
Now connect to this webserver using Ncat:
ncat -C --ssl --ssl-cert <servercert.pem> --ssl-key <serverkey.pem>
localhost 443
GET / HTTP/1.0

You can send a GET request only when the ssl connection is established
successfully
 which happens only If the client certificate is in the list of trusted CAs
and the
components of the certificates equals the desired values.

I compared the behaviour of Ncat with that of the firefox browser when
connecting to
this server by different test cases and it is well matched.

I merged this in r13425.You can svn update for this change or wait for next
beta release
which will be in a day or 2.

Ideas for improvement:
To add a client authentication support for ncat in listen mode such that
it sends a request to client for certificate and does the verification in
the
same way as apache did above,only if it is worthy to be done though it may
be
complex.This may not be of high priority.

Regards
Venkat

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org