Nmap Development mailing list archives

Re: ncat http proxy server and SSL

From: David Fifield <david () bamsoftware com>
Date: Fri, 12 Feb 2010 17:37:50 -0700

On Sun, Feb 07, 2010 at 11:54:51AM +0100, Markus Klinik wrote:

On Mon, Feb 01, 2010 at 01:00:50PM -0700, David Fifield wrote:

On Sun, Jan 31, 2010 at 02:25:16PM +0100, Markus Klinik wrote:

the http proxy server mode of ncat doesn't support SSL, while the normal
listen mode does. I couldn't find anything related to the issue in the
mailing list archive and the commit history. Has there some work been
done in that direction? Is it planned? If not, I would like to
work on a patch.


It may not be that hard to add SSL support to the proxy. A patch would
be welcome. (Almost?) all socket operations go through socket_buffer
objects in http.c. You might be able to isolate the SSL stuff there.


As ncat_listen_stream already uses SSL, I'd like to reuse as much of
that code as possible. In particular, there is the function "ncat_recv"
which dispatches on whether SSL is compiled in and activated. It also
does this SSL_pending thing. It does delaying, telnet negotiation and
logging too.

So, here is the plan:

- replace socket_buffer.sd with an fdinfo
- make socket_buffer_readline use ncat_recv instead of recv
- make handle_connect and do_transaction use ncat_recv and ncat_send
  where appropriate
- put SSL init / deinit where appropriate
- finally, as telnet negotiation doesn't make much sense in proxy mode,
  forbid that combination in ncat_listen_mode

What do you think, does that sound reasonable?


That sounds reasonable. However, rather than forbidding Telnet
negotiation at a high level, I would rather see another function
factored out that does the SSL stuff without the other things that
ncat_recv does. (It still probably makes sense to prohibit Telnet with
the HTTP proxy at a high level, but it should be enforced at a low level
to ensure the correctness of the HTTP traffic.)

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

ncat http proxy server and SSL Markus Klinik (Jan 31)
- Re: ncat http proxy server and SSL David Fifield (Feb 01)
  - Re: ncat http proxy server and SSL Markus Klinik (Feb 07)
    - Re: ncat http proxy server and SSL David Fifield (Feb 12)
    - Re: ncat http proxy server and SSL Markus Klinik (Feb 27)
    - Re: ncat http proxy server and SSL David Fifield (Mar 15)
    - Re: ncat http proxy server and SSL David Fifield (Mar 15)
    - Re: ncat http proxy server and SSL Markus Klinik (Mar 17)
    - Re: ncat http proxy server and SSL David Fifield (Mar 17)