Re: ncat ssl insecure?!

[Daniel Miller <bonsaiviking () gmail com>]

Zibri,

Thanks for asking. Ncat tries to make the best of whatever certificate you
give it. That's one cause of the "obsolete key exchange (RSA)" message you
got: you generated an RSA certificate. Now that's not actually a problem if
you generated a strong enough key: 2048 or greater key strength is
recommended. The rest (GCM cipher suite, TLS 1.2) is probably the best you
can do with OpenSSL as you've built it.

There is one area where Ncat can improve, and we have an issue to track
progress [1]. Ncat does not support Diffie-Hellman or Elliptic Curve
Diffie-Hellman key exchange methods. The ephemeral versions of these are
what Chrome would consider "strong" or "modern" because they have the
interesting property called "forward security." This means that even if
your private key is compromised, packet captures of previous sessions
cannot be decrypted. It's an important feature of TLS, and we would really
like to add it to Ncat before long.

Dan

[1] https://github.com/nmap/nmap/issues/290

On Fri, Jan 20, 2017 at 5:17 PM, Zibri <zibree () gmail com> wrote:

> connecting using google chrome to ncat (
>
> gives an insecure error:
>
> The connection to this site uses a strong protocol (TLS 1.2), an obsolete
> key exchange (RSA), and a strong cipher (AES_128_GCM).
>
> obviously it can be manually ignored but it's annoying...
>
> I run ncat in this way:
>
> ncat -lk -p 8084 --ssl --ssl-cert=cert.pem --ssl-key=privkey.pem -c
> ./myscript.sh
>
> is there any way to avoid it or is it a problem that must be addressed by
> you?
>
> regards,
> Zibri
>
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/