Re: ncat http proxy server and SSL

[David Fifield <david () bamsoftware com>]

On Wed, Mar 17, 2010 at 10:28:43PM +0100, Markus Klinik wrote:
> On Mon, Mar 15, 2010 at 03:43:26PM -0600, David Fifield wrote:
> > These tests all started passing once your patch was applied.
>
> I tried running the tests, but some of them are failing randomly with
> read timeouts, for example the "Server sends EOF after client
> disconnect" tests. Sometimes they all pass.  Bumping the timeout value
> up to 5 seconds doesn't fix the random failures. Maybe it's some race
> condition when setting up the test cases.  Do you have similar behavior?

Unfortunately the only way I have found to test the program externally
is to add artificial delays to give connections time to happen.
Sometimes the delays aren't enough. For instance, sometimes the SSL
tests fail for me when my CPU is otherwise being used, because the keys
aren't generated fast enough. Along with increasing the timeout in
timeout_read, you might increase the delay in ncat_client. If you see a
test pass once, that means it passes.

> > > I'd be interested in your thoughts on the implementation of SSL in the
> > > proxy client. Ncat might be the only client that can actually make use
> > > of an SSL-enabled proxy.
> >
> > I you have thoughts about this I'd still like to hear them.
>
> The ssl proxy client feature is definitely missing. Implementing it
> should be similar in nature to the server side. Only that the proxy
> client uses nsock for the read/forward loop, which cannot make use of
> our fdinfo. So either we implement the loop as it is implemented in the
> server (with fdinfo_recv/send), or we use nsock for both SSL-connecting
> to the server and the read/forward loop. I didn't look at nsock yet, but
> I assume it supports SSL.

It does support SSL, but not the SSL-within-SSL tunnel you describe
next.

> Just some thought (or better: a wild guess) about why there are no HTTP
> clients supporting SSL enabled proxies. If the client wants to fetch an
> https website using an SSL enabled proxy, it first has to open an SSL
> connection to the proxy. Then, using that connection and HTTP CONNECT,
> open another SSL connection to the https website. It would have to do
> SSL over SSL using one file descriptor. If I (again) understand
> correctly, OpenSSL does not support SSL over SSL (don't know about other
> SSL libraries). At least I didin't find a way to tell SSL_send to use
> SSL_send again.

I hadn't thought of that. That would be a pretty good reason. You could
probably build a custom BIO to handle it, but I don't know offhand.

> Of course such a situation could be handeled by ncat
> using someting like ncat --ssl --proxy=http --exec 'ncat --ssl ...' but
> there would be two processes with two file descriptors involved.
>
> If the SSL proxy client feature is implemented, the above should become
> a test case. Also, we could do something like proxytunnel does. And
> enable multiple chained proxies. A must have :)

The method you described above is currently our best way to do proxy
chaining. It's not ideal, but I think it's acceptable to use multiple
processes. It would be better if there was a syntax to handle it
automatically. Doing it this way is attractive for the SSL-within-SSL
tunnel because it doesn't add any complexity to the code.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/