Nmap Development mailing list archives
Re: Ncat SSL regressions
From: David Fifield <david () bamsoftware com>
Date: Sun, 7 Jun 2009 18:06:50 -0600
On Sun, Jun 07, 2009 at 01:27:55AM +0200, Daniel Roethlisberger wrote:
Here's more information on the regressions in the Ncat SSL code: - openssl s_server works with openssl s_client. - ncat -l --ssl from the -listen branch works with openssl s_client - ncat -l --ssl from /nmap does not work with openssl s_client: - ncat -l --ssl from either branch does not work with ncat --ssl: - ncat -l --broker --ssl from either branch doesn't work with ncat --ssl: - ncat -l --broker --ssl from either branch doesn't always work with openssl s_client, first connection doesn't work, second connection works:
I can reproduce all these on Mac OS X, except that I could not get -l --broker --ssl to work with s_client at all. I tried back to r12700 and it still didn't work. Has --ssl ever worked for you on BSD? I think I've found the cause of this, see below.
- openssl s_server does not work with ncat --ssl from either branch:
This always works for me. I think the cause of the problem for Ncat in listen mode is that OpenSSL is working on a non-blocking socket. In gdb I found that the error was happening in the call to SSL_accept. The man page says: If the underlying BIO is non-blocking, SSL_accept() will also return when the underlying BIO could not satisfy the needs of SSL_accept() to continue the handshake, indicating the problem by the return value -1. In this case a call to SSL_get_error() with the return value of SSL_accept() will yield SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE. Where does the non-blocking socket come from? It is inherited through accept from the non-blocking listening socket. The Linux man page says: On Linux, the new socket returned by accept() does not inherit file status flags such as O_NONBLOCK and O_ASYNC from the listening socket. This behaviour differs from the canonical BSD sockets implementation. Portable programs should not rely on inheritance or non-inheritance of file status flags and always explicitly set all required flags on the socket returned from accept(). In r13612 sockets are made blocking once a connection is made. Would you try it out? Also please see if client connections are not working, because I don't know why that wouldn't be working. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Ncat SSL regressions Daniel Roethlisberger (Jun 06)
- Re: Ncat SSL regressions David Fifield (Jun 07)
- Re: Ncat SSL regressions Daniel Roethlisberger (Jun 08)
- Re: Ncat SSL regressions David Fifield (Jun 07)