ncat & ssl certificates

[ty <online () singularidea org>]

Regarding ncat and ssl

When starting a ncat with --verbose and --ssl it will generate a ssl key and
produce its sha-1 fingerprint.
When you are connecting to a listening ncat with ssl and using --verbose it
will produce its sha-1 fingerprint.

However, when you start a listening ncat with --verbose and --ssl with a
existing certificate it does not produce its sha-1 fingerprint.
I think it should be included in the --verbose output.

Also:

To utilize a existing key & certificate, it requires --ssl-key and
--ssl-cert to be issued with each other, even if both the cert and key are
in the same file.
ncat -vl --ssl --ssl-key keycert.pem --ssl-cert keycert.pem

I think a --ssl-pem keycert.pem
would fit in (or some other --ssl-bothkey)

Finally:

Ncat with -vl --chat --ssl makes for a effective de-centralized encrypted
chat server.
However, to verify the authenticity of the server you have two options:
check the fingerprint (addressed above) and using --ssl-verify
--ssl-trustfile.
Using self-signed certificates makes this difficult for the second option as
--ssl-verify checks for ip.adress/domainname and the validity of the
certificate. This can lead to a problem if the chat server (laptop?) moves
to a new place.

I understand the importance of --ssl-verify utilizing the domain name, but
perhaps there could be a option to verify the authenticity based on the
fingerprint of the public certificate? -> --ssl-verify-fingerprint cert.pem



--
View this message in context: http://nmap-dev.996309.n3.nabble.com/ncat-ssl-certificates-tp24599.html
Sent from the Nmap - Dev mailing list archive at Nabble.com.
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/