Nmap Development mailing list archives

Re: Ncat SSL regressions

From: David Fifield <david () bamsoftware com>
Date: Sun, 7 Jun 2009 18:06:50 -0600

On Sun, Jun 07, 2009 at 01:27:55AM +0200, Daniel Roethlisberger wrote:

Here's more information on the regressions in the Ncat SSL code:

-   openssl s_server works with openssl s_client.

-   ncat -l --ssl from the -listen branch works with openssl
    s_client

-   ncat -l --ssl from /nmap does not work with openssl s_client:

-   ncat -l --ssl from either branch does not work with
    ncat --ssl:

-   ncat -l --broker --ssl from either branch doesn't work with
    ncat --ssl:

-   ncat -l --broker --ssl from either branch doesn't always work
    with openssl s_client, first connection doesn't work, second
    connection works:


I can reproduce all these on Mac OS X, except that I could not get -l
--broker --ssl to work with s_client at all. I tried back to r12700 and
it still didn't work. Has --ssl ever worked for you on BSD? I think I've
found the cause of this, see below.

-   openssl s_server does not work with ncat --ssl from either
    branch:


This always works for me.

I think the cause of the problem for Ncat in listen mode is that OpenSSL
is working on a non-blocking socket. In gdb I found that the error was
happening in the call to SSL_accept. The man page says:

       If the underlying BIO is non-blocking, SSL_accept() will also
       return when the underlying BIO could not satisfy the needs of
       SSL_accept() to continue the handshake, indicating the problem by
       the return value -1. In this case a call to SSL_get_error() with
       the return value of SSL_accept() will yield SSL_ERROR_WANT_READ
       or SSL_ERROR_WANT_WRITE.

Where does the non-blocking socket come from? It is inherited through
accept from the non-blocking listening socket. The Linux man page says:

        On Linux, the new socket returned by accept() does not inherit
        file status flags such as O_NONBLOCK and O_ASYNC from the
        listening socket. This behaviour differs from the canonical BSD
        sockets implementation. Portable programs should not rely on
        inheritance or non-inheritance of file status flags and always
        explicitly set all required flags on the socket returned from
        accept().

In r13612 sockets are made blocking once a connection is made. Would you
try it out? Also please see if client connections are not working,
because I don't know why that wouldn't be working.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Ncat SSL regressions Daniel Roethlisberger (Jun 06)
- Re: Ncat SSL regressions David Fifield (Jun 07)
  - Re: Ncat SSL regressions Daniel Roethlisberger (Jun 08)