Discussion of Ncat's SSL security choices

[Daniel Miller <bonsaiviking () gmail com>]

List,

In addition to bug reports and code submissions, we are using Github Issues
to hold some todo items. One of those [1] is to "Audit or review Ncat's use
of SSL/TLS."

This is really less of an audit of the code, and more of a requirements
solicitation. I need you all to put on your thinking caps and help decide
how Ncat will handle things like:

* Certificate verification
* Protocol version (i.e. SSL3, TLS1.2, etc) selection
* Certificate revocation checking

Or anything else you can think of.

This is an important decision, because the use of Ncat is not strictly
opt-in any more: Red Hat has adopted Ncat as their default Netcat
replacement. Keep this in mind when considering how the average sysadmin
will use it, and what behaviors they may expect or require.

Thanks for your time,
Dan

[1] https://github.com/nmap/nmap/issues/31

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/