Nmap Development mailing list archives
Re: ncat http proxy server and SSL
From: David Fifield <david () bamsoftware com>
Date: Mon, 15 Mar 2010 15:43:26 -0600
On Mon, Mar 15, 2010 at 12:55:12PM -0600, David Fifield wrote:
On Sat, Feb 27, 2010 at 03:12:53PM +0100, Markus Klinik wrote:Well, here is a patch set which enables SSL support in http-proxy mode.
I want to thank you for developing this simple and clever method of supporting SSL in the HTTP proxy. It was not as intrusive a code change as I once thought it would be. I made another patch based on your patches and applied it. The changes I made were the creation of low-level fdinfo_recv and fdinfo_send functions, and looser coupling of socket_buffer and fdinfo so that normal socket operations can be used more often.
The CONNECT method works, tested with ssh and proxytunnel. I couldn't test whether the other methods (GET,PUT,HEAD) work because I didn't find an http client that can connect to an SSL encrypted proxy. Neither firefox nor wget seem to support SSL encrypted proxies. Is there some reason? Am I not getting why this might be undesirable or impossible?You can test GET and others with Ncat itself. $ ncat -l --proxy-type http --ssl $ ncat --ssl localhost scanme.nmap.org 80 GET http://scanme.nmap.org/ HTTP/1.0
I made a mistake, it should have been $ ncat --ssl localhost But it works.
There are already existing tests for SSL support in the proxy in test/ncat-test.pl. They are currently marked as XFAIL to indicate that the feature is unimplemented. It looks like this now:
These tests all started passing once your patch was applied.
I'd be interested in your thoughts on the implementation of SSL in the proxy client. Ncat might be the only client that can actually make use of an SSL-enabled proxy.
I you have thoughts about this I'd still like to hear them. Even though other HTTP clients don't support SSL connections to proxies, I think that the combination of ncat -l --ssl --proxy-type http ncat --ssl --proxy host:port target could be pretty powerful. It would allow you to set up a temporary proxy, then route traffic through it with encryption and authentication. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- ncat http proxy server and SSL Markus Klinik (Jan 31)
- Re: ncat http proxy server and SSL David Fifield (Feb 01)
- Re: ncat http proxy server and SSL Markus Klinik (Feb 07)
- Re: ncat http proxy server and SSL David Fifield (Feb 12)
- Re: ncat http proxy server and SSL Markus Klinik (Feb 27)
- Re: ncat http proxy server and SSL David Fifield (Mar 15)
- Re: ncat http proxy server and SSL David Fifield (Mar 15)
- Re: ncat http proxy server and SSL Markus Klinik (Mar 17)
- Re: ncat http proxy server and SSL David Fifield (Mar 17)
- Re: ncat http proxy server and SSL Markus Klinik (Feb 07)
- Re: ncat http proxy server and SSL David Fifield (Feb 01)