Nmap Development mailing list archives
Re: ncat http proxy server and SSL
From: Markus Klinik <markus.klinik () gmx de>
Date: Wed, 17 Mar 2010 22:28:43 +0100
On Mon, Mar 15, 2010 at 03:43:26PM -0600, David Fifield wrote:
These tests all started passing once your patch was applied.
I tried running the tests, but some of them are failing randomly with read timeouts, for example the "Server sends EOF after client disconnect" tests. Sometimes they all pass. Bumping the timeout value up to 5 seconds doesn't fix the random failures. Maybe it's some race condition when setting up the test cases. Do you have similar behavior?
I'd be interested in your thoughts on the implementation of SSL in the proxy client. Ncat might be the only client that can actually make use of an SSL-enabled proxy.I you have thoughts about this I'd still like to hear them.
The ssl proxy client feature is definitely missing. Implementing it should be similar in nature to the server side. Only that the proxy client uses nsock for the read/forward loop, which cannot make use of our fdinfo. So either we implement the loop as it is implemented in the server (with fdinfo_recv/send), or we use nsock for both SSL-connecting to the server and the read/forward loop. I didn't look at nsock yet, but I assume it supports SSL. My schedule is rather cramped at the moment, so it may be some weeks before I find time to look at it. Just some thought (or better: a wild guess) about why there are no HTTP clients supporting SSL enabled proxies. If the client wants to fetch an https website using an SSL enabled proxy, it first has to open an SSL connection to the proxy. Then, using that connection and HTTP CONNECT, open another SSL connection to the https website. It would have to do SSL over SSL using one file descriptor. If I (again) understand correctly, OpenSSL does not support SSL over SSL (don't know about other SSL libraries). At least I didin't find a way to tell SSL_send to use SSL_send again. Of course such a situation could be handeled by ncat using someting like ncat --ssl --proxy=http --exec 'ncat --ssl ...' but there would be two processes with two file descriptors involved. If the SSL proxy client feature is implemented, the above should become a test case. Also, we could do something like proxytunnel does. And enable multiple chained proxies. A must have :) Another thing, just for the record. There was a bug in my patch in the error handling of the proxy server's read/forward loop, but I see you already fixed it. Best regards Markus _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- ncat http proxy server and SSL Markus Klinik (Jan 31)
- Re: ncat http proxy server and SSL David Fifield (Feb 01)
- Re: ncat http proxy server and SSL Markus Klinik (Feb 07)
- Re: ncat http proxy server and SSL David Fifield (Feb 12)
- Re: ncat http proxy server and SSL Markus Klinik (Feb 27)
- Re: ncat http proxy server and SSL David Fifield (Mar 15)
- Re: ncat http proxy server and SSL David Fifield (Mar 15)
- Re: ncat http proxy server and SSL Markus Klinik (Mar 17)
- Re: ncat http proxy server and SSL David Fifield (Mar 17)
- Re: ncat http proxy server and SSL Markus Klinik (Feb 07)
- Re: ncat http proxy server and SSL David Fifield (Feb 01)