Nmap Development mailing list archives
Re: SSL support in Ncat - confusing server parameters
From: David Fifield <david () bamsoftware com>
Date: Tue, 17 Feb 2009 22:08:37 -0700
On Sat, Feb 07, 2009 at 12:06:17PM +0100, Kristof Boeynaems wrote:
------------------------------------------------------------------------- 1. Ncat as SSL server - confusing parameters ------------------------------------------------------------------------- The only way I could Ncat get to work as SSL server is by specifying all the SSL parameters, that is, not only --ssh, but also --ssl-key and --ssl-cert. E.g. ./ncat --ssl -l 1111 --ssl-cert /usr/share/doc/libssl-dev/demos/sign/cert.pem --ssl-key /usr/share/doc/libssl-dev/demos/sign/key.pem (Note that I am using a certificate and key that comes with libssl-dev) Now, the fact that the cert and key parameters have to be specified as well, might sound obvious to SSL experts, but I forgot this in first instance, and that returns some obscure errors, depending on the SSL client used to connect to the Ncat server.
Thanks very much for testing. I can reproduce the obscure error messages with the commands you cite. In r12184 I added a warning if --ssl is used in listen mode without being used with both --ssl-key and --ssl-cert: Ncat: warning: You used --ssl in listen mode without also using --ssl-key and --ssl-cert. Connections probably won't work. Maybe we should give instructions for generating a key and certificate, either in the warning message or in the documentation. I used this command to generate files for testing: openssl req -new -x509 -keyout test-key.pem -out test-cert.pem Is that all that's necessary, or should that command be adjusted before being committed to documentation? OpenSSL experts?
Ncat does not seem to support these ciphers. I also missed some command line parameters to specify the used SSL version and supported ciphers in Ncat. Is adding these features planned?
Those features aren't planned. The ability to specify the SSL version would solve the other problem you cited, of Ncat not being able to connect to some servers. I will respond to that in a different reply. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 07)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue Brandon Enright (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue David Fifield (Feb 17)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 18)
- Re: SSL support in Ncat - client version issue: what do other apps do? David Fifield (Feb 17)
- Re: SSL support in Ncat - client version issue: what do other apps do? Kristof Boeynaems (Feb 17)
- Re: SSL support in Ncat - client version issue: what do other apps do? David Fifield (Feb 18)
- Re: SSL support in Ncat - confusing server parameters and client version issue Brandon Enright (Feb 08)
- Re: SSL support in Ncat - confusing server parameters and client version issue Kristof Boeynaems (Feb 08)
- Re: SSL support in Ncat - confusing server parameters David Fifield (Feb 27)