Nmap Development mailing list archives
Support for sending a client certificate in connect mode using SSL with Ncat.
From: venkat sanaka <venkatsanaka () gmail com>
Date: Fri, 29 May 2009 05:07:19 +0530
Hi everyone I added a new feature for Ncat's ssl support in connect mode so that now it can send a certificate to ssl server which uses it for client authentication using --ssl-cert and --ssl-key options.In this mail i am going to explain this new feature with an example and also give instructions for setting up the webserver for testing. You know that Ncat supports SSL in Connect mode to act as ssl client providing options like --ssl-verify(server's certificate verification) and --ssl-trustfile to specify list of trusted certificates etc; Some of these options are implemented by David last month and he also explained how to use them in this mail http://seclists.org/nmap-dev/2009/q2/0183.html You can also find the new feature i added now is one of the ideas for more improvements in that mail and as mentioned by David some servers request client's certificates for authentication which is the reverse of most general case in which client authenticates server for ssl connection to establish. For more details on how to use Ncat's ssl support,please read the Ncat Users' Guide here http://nmap.org/ncat/guide/ncat-ssl.html The command for using this feature is: ncat --ssl --ssl-cert <clientcert.pem> --ssl-key <clientkey.pem> server port Notes: *The usage of other connect mode options remains the same. *The specified client certificate is used(sent) only when it is requested by the ssl server otherwise not. Example & Testing: For testing purpose i configured a apache webserver with mod_ssl support and client authentication enabled. These sites explain how it can be configured: http://www.flatmtn.com/article/setting-ssl-certificates-apache http://www.securityfocus.com/infocus/1823 or google apache ssl support for your own distro :). It basically involves few changes in the the config file. *List of trusted CAs and components of certificates which are to be verified for access control are also specified in this config file. Part of my config file which does these. ................................................. #Certificate Authority (CA): #List of trusted CAs SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt #Client Authentication (Type): #Client certificate verification type and depth. #This enables Client authentication. SSLVerifyClient require SSLVerifyDepth 1 # Access Control: # With SSLRequire you can do per-directory access control based # on arbitrary complex boolean expressions containing server # variable checks and other lookup directives. The syntax is a # mixture between C and Perl. See the mod_ssl documentation # for more details. <Location / > SSLRequireSSL SSLRequire (%{SSL_CLIENT_S_DN_O} eq "Nmap") </Location> #Here Organization(O) component of client certificate is verified for "Nmap". ....................................................... This makes apache to act as a https server on default port 443. Now connect to this webserver using Ncat: ncat -C --ssl --ssl-cert <servercert.pem> --ssl-key <serverkey.pem> localhost 443 GET / HTTP/1.0 You can send a GET request only when the ssl connection is established successfully which happens only If the client certificate is in the list of trusted CAs and the components of the certificates equals the desired values. I compared the behaviour of Ncat with that of the firefox browser when connecting to this server by different test cases and it is well matched. I merged this in r13425.You can svn update for this change or wait for next beta release which will be in a day or 2. Ideas for improvement: To add a client authentication support for ncat in listen mode such that it sends a request to client for certificate and does the verification in the same way as apache did above,only if it is worthy to be done though it may be complex.This may not be of high priority. Regards Venkat _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Support for sending a client certificate in connect mode using SSL with Ncat. venkat sanaka (May 28)