Nmap Development mailing list archives
SSL support in Ncat - confusing server parameters and client version issue
From: Kristof Boeynaems <kristof.boeynaems () gmail com>
Date: Sat, 7 Feb 2009 12:06:17 +0100
Hi,
I had a look at the SSL support in Ncat and found the following (I am
using the latest CVS version, Ncat 0.2).
Note that I am using OpenSSL 0.9.8g; I did not test the latest OpenSSL version.
-------------------------------------------------------------------------
1. Ncat as SSL server - confusing parameters
-------------------------------------------------------------------------
The only way I could Ncat get to work as SSL server is by specifying
all the SSL parameters, that is, not only --ssh, but also --ssl-key
and --ssl-cert.
E.g.
./ncat --ssl -l 1111 --ssl-cert
/usr/share/doc/libssl-dev/demos/sign/cert.pem --ssl-key
/usr/share/doc/libssl-dev/demos/sign/key.pem
(Note that I am using a certificate and key that comes with libssl-dev)
Now, the fact that the cert and key parameters have to be specified as
well, might sound obvious to SSL experts, but I forgot this in first
instance, and that returns some obscure errors, depending on the SSL
client used to connect to the Ncat server.
These are the Ncat error messages I receive when omitting the cert and
key options, thus running:
./ncat --ssl -l 1111
With SSLv2:
openssl s_client -ssl2 -connect localhost:1111
=> SSL_accept(): error:1406B0C9:SSL
routines:GET_CLIENT_MASTER_KEY:peer error certificate
With SSLv3 and TLSv1:
openssl s_client -ssl3 -connect localhost:1111
openssl s_client -tls1 -connect localhost:1111
=> SSL_accept(): error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
shared cipher
I would suggest to provide a user-friendly warning to the user when
she tries to run Ncat with both the "--ssl" and "-l" flags, but not
the "--ssl-cert" and "--ssl-key" flags.
Note that, in theory, there are some ciphers that do not seem to
require certificate nor key. E.g. the "anonymous" ciphers ("openssl
ciphers aNULL") do not seem to require a server certificate. That's
why instead of forcing the user to always use a key/certificate, a
warning might be more appropriate.
However, when I tried to use these anonymous ciphers, this does not
seem to work with Ncat, even when specifying a key and cert:
openssl s_client -cipher aNULL -connect localhost:1111
=> SSL_accept(): error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
shared cipher
Ncat does not seem to support these ciphers.
I also missed some command line parameters to specify the used SSL
version and supported ciphers in Ncat. Is adding these features
planned?
-------------------------------------------------------------------------------
2. Ncat as SSL client - Not all versions supported?
-------------------------------------------------------------------------------
It seems that Ncat does not support pure TLSv1 or SSLv3 servers.
Starting an OpenSSL SSLv3 or TLSv1 server with following commands:
openssl s_server -cert /usr/share/doc/libssl-dev/demos/sign/cert.pem
-key /usr/share/doc/libssl-dev/demos/sign/key.pem -ssl3
openssl s_server -cert /usr/share/doc/libssl-dev/demos/sign/cert.pem
-key /usr/share/doc/libssl-dev/demos/sign/key.pem -tls1
and trying to connect with Ncat as follows:
./ncat --ssl localhost 4433
Ncat immediately quits without any error, while at the openssl side
the following error is shown (both in SSLv3 and TLSv1 case):
3026:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:295:
It works fine with an OpenSSL server started without specifying the
version, or using -no_ssl2 or -ssl2:
openssl s_server -cert /usr/share/doc/libssl-dev/demos/sign/cert.pem
-key /usr/share/doc/libssl-dev/demos/sign/key.pem
openssl s_server -cert /usr/share/doc/libssl-dev/demos/sign/cert.pem
-key /usr/share/doc/libssl-dev/demos/sign/key.pem -no_ssl2
openssl s_server -cert /usr/share/doc/libssl-dev/demos/sign/cert.pem
-key /usr/share/doc/libssl-dev/demos/sign/key.pem -ssl2
Am I missing something, or does Ncat indeed not support pure TLSv1 and
SSLv3 servers?
Thank you,
Kristof
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Current thread:
- SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 07)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue Brandon Enright (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue David Fifield (Feb 17)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 18)
- Re: SSL support in Ncat - client version issue: what do other apps do? David Fifield (Feb 17)
- Re: SSL support in Ncat - client version issue: what do other apps do? Kristof Boeynaems (Feb 17)
- Re: SSL support in Ncat - client version issue: what do other apps do? David Fifield (Feb 18)
- Re: SSL support in Ncat - confusing server parameters and client version issue Brandon Enright (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 08)
- Re: SSL support in Ncat - confusing server parameters David Fifield (Feb 27)