[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nmap-dev
Subject:    Re: Secure SSL connections with Ncat
From:       David Fifield <david () bamsoftware ! com>
Date:       2009-04-25 3:44:01
Message-ID: 20090425034400.GB30645 () gusto
[Download RAW message or body]

On Fri, Apr 24, 2009 at 10:39:46AM -0600, David Fifield wrote:
> The Ncat Users' Guide has had this warning on its SSL page
> (http://nmap.org/ncat/guide/ncat-ssl.html):
> 
> 	Ncat's SSL support is currently provided by the Nsock socket
> 	library, which is optimized for Nmap's version detection and
> 	prioritizes speed over security. The SSL channel may use a weak
> 	cipher or none at all, and there is no way to specify which
> 	ciphers to allow. Server certificates are not verified, making
> 	man-in-the-middle attacks possible. Ncat's SSL mode should be
> 	used as a tool to test and debug SSL servers and clients, and
> 	should not be considered strong encryption.
> 
> For the last few days I've been making changes so we can remove that
> warning; that is, to enable Ncat to make SSL connections that are at
> least as good as what your web browser makes.
> 
> The basic usage doesn't change:
> 	ncat --ssl www.amazon.com 443 -v
> The only difference is that Ncat will use only secure ciphers and won't
> do SSLv2. To do certificate verification, use --ssl-verify instead:
> 	ncat --ssl-verify www.amazon.com 443 -v
> That may or may not work, depending on whether you have default trusted
> CA certificates installed. If you have the root CA certificates in
> another place, or you want to connect to a server whose certificate is
> not signed by a root CA, use --ssl-trustfile to list trusted
> certificates:
> 	ncat --ssl-verify --ssl-trustfile ~/custom-certs.pem my.example.com 993 -v
> 
> To try the new code, do
> 	svn co --username guest --password "" svn://svn.insecure.org/nmap-exp/david/nmap-ssl
> Are there any suggestions on option syntax or behavior before I merge
> this?

I merged this in r13069. If you didn't get a chance to try it, I'm still
open to making changes to the default behavior or the option interface.
The user interface is one of the hardest things to get right in
security.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic