Nmap Development mailing list archives
SSL support in Ncat - confusing server parameters and client version issue
From: Kristof Boeynaems <kristof.boeynaems () gmail com>
Date: Sat, 7 Feb 2009 12:06:17 +0100
Hi, I had a look at the SSL support in Ncat and found the following (I am using the latest CVS version, Ncat 0.2). Note that I am using OpenSSL 0.9.8g; I did not test the latest OpenSSL version. ------------------------------------------------------------------------- 1. Ncat as SSL server - confusing parameters ------------------------------------------------------------------------- The only way I could Ncat get to work as SSL server is by specifying all the SSL parameters, that is, not only --ssh, but also --ssl-key and --ssl-cert. E.g. ./ncat --ssl -l 1111 --ssl-cert /usr/share/doc/libssl-dev/demos/sign/cert.pem --ssl-key /usr/share/doc/libssl-dev/demos/sign/key.pem (Note that I am using a certificate and key that comes with libssl-dev) Now, the fact that the cert and key parameters have to be specified as well, might sound obvious to SSL experts, but I forgot this in first instance, and that returns some obscure errors, depending on the SSL client used to connect to the Ncat server. These are the Ncat error messages I receive when omitting the cert and key options, thus running: ./ncat --ssl -l 1111 With SSLv2: openssl s_client -ssl2 -connect localhost:1111 => SSL_accept(): error:1406B0C9:SSL routines:GET_CLIENT_MASTER_KEY:peer error certificate With SSLv3 and TLSv1: openssl s_client -ssl3 -connect localhost:1111 openssl s_client -tls1 -connect localhost:1111 => SSL_accept(): error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher I would suggest to provide a user-friendly warning to the user when she tries to run Ncat with both the "--ssl" and "-l" flags, but not the "--ssl-cert" and "--ssl-key" flags. Note that, in theory, there are some ciphers that do not seem to require certificate nor key. E.g. the "anonymous" ciphers ("openssl ciphers aNULL") do not seem to require a server certificate. That's why instead of forcing the user to always use a key/certificate, a warning might be more appropriate. However, when I tried to use these anonymous ciphers, this does not seem to work with Ncat, even when specifying a key and cert: openssl s_client -cipher aNULL -connect localhost:1111 => SSL_accept(): error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher Ncat does not seem to support these ciphers. I also missed some command line parameters to specify the used SSL version and supported ciphers in Ncat. Is adding these features planned? ------------------------------------------------------------------------------- 2. Ncat as SSL client - Not all versions supported? ------------------------------------------------------------------------------- It seems that Ncat does not support pure TLSv1 or SSLv3 servers. Starting an OpenSSL SSLv3 or TLSv1 server with following commands: openssl s_server -cert /usr/share/doc/libssl-dev/demos/sign/cert.pem -key /usr/share/doc/libssl-dev/demos/sign/key.pem -ssl3 openssl s_server -cert /usr/share/doc/libssl-dev/demos/sign/cert.pem -key /usr/share/doc/libssl-dev/demos/sign/key.pem -tls1 and trying to connect with Ncat as follows: ./ncat --ssl localhost 4433 Ncat immediately quits without any error, while at the openssl side the following error is shown (both in SSLv3 and TLSv1 case): 3026:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:295: It works fine with an OpenSSL server started without specifying the version, or using -no_ssl2 or -ssl2: openssl s_server -cert /usr/share/doc/libssl-dev/demos/sign/cert.pem -key /usr/share/doc/libssl-dev/demos/sign/key.pem openssl s_server -cert /usr/share/doc/libssl-dev/demos/sign/cert.pem -key /usr/share/doc/libssl-dev/demos/sign/key.pem -no_ssl2 openssl s_server -cert /usr/share/doc/libssl-dev/demos/sign/cert.pem -key /usr/share/doc/libssl-dev/demos/sign/key.pem -ssl2 Am I missing something, or does Ncat indeed not support pure TLSv1 and SSLv3 servers? Thank you, Kristof _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 07)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue Brandon Enright (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue David Fifield (Feb 17)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 18)
- Re: SSL support in Ncat - client version issue: what do other apps do? David Fifield (Feb 17)
- Re: SSL support in Ncat - client version issue: what do other apps do? Kristof Boeynaems (Feb 17)
- Re: SSL support in Ncat - client version issue: what do other apps do? David Fifield (Feb 18)
- Re: SSL support in Ncat - confusing server parameters and client version issue Brandon Enright (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 08)
- Re: SSL support in Ncat - confusing server parameters David Fifield (Feb 27)