Nmap Development mailing list archives
Re: ncat http proxy server and SSL
From: David Fifield <david () bamsoftware com>
Date: Wed, 17 Mar 2010 20:55:39 -0600
On Wed, Mar 17, 2010 at 10:28:43PM +0100, Markus Klinik wrote:
On Mon, Mar 15, 2010 at 03:43:26PM -0600, David Fifield wrote:These tests all started passing once your patch was applied.I tried running the tests, but some of them are failing randomly with read timeouts, for example the "Server sends EOF after client disconnect" tests. Sometimes they all pass. Bumping the timeout value up to 5 seconds doesn't fix the random failures. Maybe it's some race condition when setting up the test cases. Do you have similar behavior?
Unfortunately the only way I have found to test the program externally is to add artificial delays to give connections time to happen. Sometimes the delays aren't enough. For instance, sometimes the SSL tests fail for me when my CPU is otherwise being used, because the keys aren't generated fast enough. Along with increasing the timeout in timeout_read, you might increase the delay in ncat_client. If you see a test pass once, that means it passes.
I'd be interested in your thoughts on the implementation of SSL in the proxy client. Ncat might be the only client that can actually make use of an SSL-enabled proxy.I you have thoughts about this I'd still like to hear them.The ssl proxy client feature is definitely missing. Implementing it should be similar in nature to the server side. Only that the proxy client uses nsock for the read/forward loop, which cannot make use of our fdinfo. So either we implement the loop as it is implemented in the server (with fdinfo_recv/send), or we use nsock for both SSL-connecting to the server and the read/forward loop. I didn't look at nsock yet, but I assume it supports SSL.
It does support SSL, but not the SSL-within-SSL tunnel you describe next.
Just some thought (or better: a wild guess) about why there are no HTTP clients supporting SSL enabled proxies. If the client wants to fetch an https website using an SSL enabled proxy, it first has to open an SSL connection to the proxy. Then, using that connection and HTTP CONNECT, open another SSL connection to the https website. It would have to do SSL over SSL using one file descriptor. If I (again) understand correctly, OpenSSL does not support SSL over SSL (don't know about other SSL libraries). At least I didin't find a way to tell SSL_send to use SSL_send again.
I hadn't thought of that. That would be a pretty good reason. You could probably build a custom BIO to handle it, but I don't know offhand.
Of course such a situation could be handeled by ncat using someting like ncat --ssl --proxy=http --exec 'ncat --ssl ...' but there would be two processes with two file descriptors involved. If the SSL proxy client feature is implemented, the above should become a test case. Also, we could do something like proxytunnel does. And enable multiple chained proxies. A must have :)
The method you described above is currently our best way to do proxy chaining. It's not ideal, but I think it's acceptable to use multiple processes. It would be better if there was a syntax to handle it automatically. Doing it this way is attractive for the SSL-within-SSL tunnel because it doesn't add any complexity to the code. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- ncat http proxy server and SSL Markus Klinik (Jan 31)
- Re: ncat http proxy server and SSL David Fifield (Feb 01)
- Re: ncat http proxy server and SSL Markus Klinik (Feb 07)
- Re: ncat http proxy server and SSL David Fifield (Feb 12)
- Re: ncat http proxy server and SSL Markus Klinik (Feb 27)
- Re: ncat http proxy server and SSL David Fifield (Mar 15)
- Re: ncat http proxy server and SSL David Fifield (Mar 15)
- Re: ncat http proxy server and SSL Markus Klinik (Mar 17)
- Re: ncat http proxy server and SSL David Fifield (Mar 17)
- Re: ncat http proxy server and SSL Markus Klinik (Feb 07)
- Re: ncat http proxy server and SSL David Fifield (Feb 01)