Nmap Development mailing list archives
Re: ncat ssl insecure?!
From: Daniel Miller <bonsaiviking () gmail com>
Date: Sat, 21 Jan 2017 08:44:49 -0600
Zibri, Thanks for asking. Ncat tries to make the best of whatever certificate you give it. That's one cause of the "obsolete key exchange (RSA)" message you got: you generated an RSA certificate. Now that's not actually a problem if you generated a strong enough key: 2048 or greater key strength is recommended. The rest (GCM cipher suite, TLS 1.2) is probably the best you can do with OpenSSL as you've built it. There is one area where Ncat can improve, and we have an issue to track progress [1]. Ncat does not support Diffie-Hellman or Elliptic Curve Diffie-Hellman key exchange methods. The ephemeral versions of these are what Chrome would consider "strong" or "modern" because they have the interesting property called "forward security." This means that even if your private key is compromised, packet captures of previous sessions cannot be decrypted. It's an important feature of TLS, and we would really like to add it to Ncat before long. Dan [1] https://github.com/nmap/nmap/issues/290 On Fri, Jan 20, 2017 at 5:17 PM, Zibri <zibree () gmail com> wrote:
connecting using google chrome to ncat ( gives an insecure error: The connection to this site uses a strong protocol (TLS 1.2), an obsolete key exchange (RSA), and a strong cipher (AES_128_GCM). obviously it can be manually ignored but it's annoying... I run ncat in this way: ncat -lk -p 8084 --ssl --ssl-cert=cert.pem --ssl-key=privkey.pem -c ./myscript.sh is there any way to avoid it or is it a problem that must be addressed by you? regards, Zibri _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- ncat ssl insecure?! Zibri (Jan 21)
- Re: ncat ssl insecure?! Daniel Miller (Jan 21)