Minor patch to ncat to support chained certs with --ssl option

[Greg Bailey <gbailey () lxpro com>]

Hi,

I'm a relatively new ncat user, and recently needed to set up a 
man-in-the-middle scenario so that I could log traffic protected by HTTPS.

However, I needed to use a chained certificate, but ncat_ssl.c only 
loads a single certificate that's specified.

With the following minor patch to ncat/ncat_ssl.c, I was able to chain 
my certificates together, and ncat used them when setting up the SSL 
listener:


Index: ncat/ncat_ssl.c
===================================================================
--- ncat/ncat_ssl.c    (revision 30914)
+++ ncat/ncat_ssl.c    (working copy)
@@ -173,8 +173,8 @@
     } else {
         if (o.sslcert == NULL || o.sslkey == NULL)
             bye("The --ssl-key and --ssl-cert options must be used 
together.");
-        if (SSL_CTX_use_certificate_file(sslctx, o.sslcert, 
SSL_FILETYPE_PEM) != 1)
-            bye("SSL_CTX_use_certificate_file(): %s.", 
ERR_error_string(ERR_get_error(), NULL));
+        if (SSL_CTX_use_certificate_chain_file(sslctx, o.sslcert) != 1)
+            bye("SSL_CTX_use_certificate_chain_file(): %s.", 
ERR_error_string(ERR_get_error(), NULL));
         if (SSL_CTX_use_PrivateKey_file(sslctx, o.sslkey, 
SSL_FILETYPE_PEM) != 1)
             bye("SSL_CTX_use_Privatekey_file(): %s.", 
ERR_error_string(ERR_get_error(), NULL));
     }


Could this type of change be made?  I don't think it would break 
compatibility with the existing usage of a single cert.

Regards,
Greg Bailey

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/