Nmap Development mailing list archives
ncat & ssl certificates
From: ty <online () singularidea org>
Date: Sun, 8 Jun 2014 07:47:30 -0700 (PDT)
Regarding ncat and ssl When starting a ncat with --verbose and --ssl it will generate a ssl key and produce its sha-1 fingerprint. When you are connecting to a listening ncat with ssl and using --verbose it will produce its sha-1 fingerprint. However, when you start a listening ncat with --verbose and --ssl with a existing certificate it does not produce its sha-1 fingerprint. I think it should be included in the --verbose output. Also: To utilize a existing key & certificate, it requires --ssl-key and --ssl-cert to be issued with each other, even if both the cert and key are in the same file. ncat -vl --ssl --ssl-key keycert.pem --ssl-cert keycert.pem I think a --ssl-pem keycert.pem would fit in (or some other --ssl-bothkey) Finally: Ncat with -vl --chat --ssl makes for a effective de-centralized encrypted chat server. However, to verify the authenticity of the server you have two options: check the fingerprint (addressed above) and using --ssl-verify --ssl-trustfile. Using self-signed certificates makes this difficult for the second option as --ssl-verify checks for ip.adress/domainname and the validity of the certificate. This can lead to a problem if the chat server (laptop?) moves to a new place. I understand the importance of --ssl-verify utilizing the domain name, but perhaps there could be a option to verify the authenticity based on the fingerprint of the public certificate? -> --ssl-verify-fingerprint cert.pem -- View this message in context: http://nmap-dev.996309.n3.nabble.com/ncat-ssl-certificates-tp24599.html Sent from the Nmap - Dev mailing list archive at Nabble.com. _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- ncat & ssl certificates ty (Jun 08)