mailing list archives
Re: [Ncat] hang on ongoing ssl negotation in brokering mode
From: David Fifield <david () bamsoftware com>
Date: Sat, 11 Jun 2011 11:33:34 -0700
On Mon, Jun 06, 2011 at 01:07:52PM +0300, Shinnok wrote:
Quote from todo/nmap.txt:
o [Ncat] When in connection brokering or chat mode with ssl support
enabled, if one client connects and doesn't complete ssl negotiation,
it hangs any other connections while that first is active. One way to
Run SSL chat server like: /usr/local/bin/ncat --ssl -l --chat
Window #1: Connect without ssl: ncat -v chatserverip
Window #2: Try to connect with SSL: ncat -v --ssl chatserverip
Window #2 will not work while #1 is active. If you quit #1, #2
should work again.
Attached is a patch that handles this issue for your review.
The patch fixes both ncat_listen(.c) brokering as well as
ncat_broker(.c) brokering type. The way the patch works, is that I've
turned the socket non-blocking for non-exec commands in
handle_connection() function and only initiate the ssl through new_ssl()
at that spot. Then I handle the actual ssl negotiation(ssl_accept()) in
ncat_listen_stream() and ncat_broker() respectively.
Some additional ssl data was added in util.h to "struct fdinfo", as
necessary in order to keep the ssl info cross functions.
This patch looks very nice, Shinnok. Please change the name "ssldone" to
something more descriptive; it doesn't mean "SSL done," it means "SSL
I don't think the patch works when the server runs --sh-exec. For
ncat --ssl --sh-exec "date" -lk
Connecting with a non-SSL client prevents SSL clients from receiving any
data. I added a new test for this case. Would you look into it?
./ncat-test.pl issues no additional fails from svn current besides the
UNEXPECTED PASS SSL server doesn't block during handshake
Great, it's nice when a test works. Remove the xfail whenever you make a
known-bad test start passing.
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/