Re: ncat http proxy server and SSL

[Markus Klinik <markus.klinik () gmx de>]

On Mon, Feb 01, 2010 at 01:00:50PM -0700, David Fifield wrote:
> On Sun, Jan 31, 2010 at 02:25:16PM +0100, Markus Klinik wrote:
> > the http proxy server mode of ncat doesn't support SSL, while the normal
> > listen mode does. I couldn't find anything related to the issue in the
> > mailing list archive and the commit history. Has there some work been
> > done in that direction? Is it planned? If not, I would like to
> > work on a patch. 
>
> It may not be that hard to add SSL support to the proxy. A patch would
> be welcome. (Almost?) all socket operations go through socket_buffer
> objects in http.c. You might be able to isolate the SSL stuff there.

As ncat_listen_stream already uses SSL, I'd like to reuse as much of
that code as possible. In particular, there is the function "ncat_recv"
which dispatches on whether SSL is compiled in and activated. It also
does this SSL_pending thing. It does delaying, telnet negotiation and
logging too.

So, here is the plan:

- replace socket_buffer.sd with an fdinfo
- make socket_buffer_readline use ncat_recv instead of recv
- make handle_connect and do_transaction use ncat_recv and ncat_send
  where appropriate
- put SSL init / deinit where appropriate
- finally, as telnet negotiation doesn't make much sense in proxy mode,
  forbid that combination in ncat_listen_mode

What do you think, does that sound reasonable?
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/