Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ncat http proxy server and SSL

From: Markus Klinik <markus.klinik () gmx de>
Date: Wed, 17 Mar 2010 22:28:43 +0100
On Mon, Mar 15, 2010 at 03:43:26PM -0600, David Fifield wrote:

These tests all started passing once your patch was applied.


I tried running the tests, but some of them are failing randomly with
read timeouts, for example the "Server sends EOF after client
disconnect" tests. Sometimes they all pass.  Bumping the timeout value
up to 5 seconds doesn't fix the random failures. Maybe it's some race
condition when setting up the test cases.  Do you have similar behavior?


I'd be interested in your thoughts on the implementation of SSL in the
proxy client. Ncat might be the only client that can actually make use
of an SSL-enabled proxy.


I you have thoughts about this I'd still like to hear them.


The ssl proxy client feature is definitely missing. Implementing it
should be similar in nature to the server side. Only that the proxy
client uses nsock for the read/forward loop, which cannot make use of
our fdinfo. So either we implement the loop as it is implemented in the
server (with fdinfo_recv/send), or we use nsock for both SSL-connecting
to the server and the read/forward loop. I didn't look at nsock yet, but
I assume it supports SSL.

My schedule is rather cramped at the moment, so it may be some weeks
before I find time to look at it.

Just some thought (or better: a wild guess) about why there are no HTTP
clients supporting SSL enabled proxies. If the client wants to fetch an
https website using an SSL enabled proxy, it first has to open an SSL
connection to the proxy. Then, using that connection and HTTP CONNECT,
open another SSL connection to the https website. It would have to do
SSL over SSL using one file descriptor. If I (again) understand
correctly, OpenSSL does not support SSL over SSL (don't know about other
SSL libraries). At least I didin't find a way to tell SSL_send to use
SSL_send again. Of course such a situation could be handeled by ncat
using someting like ncat --ssl --proxy=http --exec 'ncat --ssl ...' but
there would be two processes with two file descriptors involved.

If the SSL proxy client feature is implemented, the above should become
a test case. Also, we could do something like proxytunnel does. And
enable multiple chained proxies. A must have :)

Another thing, just for the record. There was a bug in my patch in the
error handling of the proxy server's read/forward loop, but I see you
already fixed it.

Best regards
Markus
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: