Nmap Development mailing list archives

Re: "Ncat: Input/output error" when connecting to instalator.upc.pl:443

From: Daniel Miller <bonsaiviking () gmail com>
Date: Mon, 23 Jan 2017 08:30:32 -0600

Jacek,

I confirmed the problem, which is caused by the server simply disconnecting
without issuing a TLS alert message after receiving our Client Hello. After
correcting a problem with Ncat (--ssl-ciphers was not being used in client
mode, only in server/listen mode) I found that by reducing the number of
ciphers offered (changing the cipher list from default
'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' to
'ALL:!AES:!ADH:!LOW:!EXP:!MD5:@STRENGTH') I could get the connection to
complete. This is likely an instance of long handshake intolerance [1],
where some servers can't handle a handshake greater than 255 bytes. Adding
'!AES' reduces the handshake to 251 bytes, which succeeds. I first used
ssl-enum-ciphers (which has a workaround for the intolerance issue) to
determine that only one cipher was supported, TLS_RSA_WITH_3DES_EDE_CBC_SHA.

Upon further checking, the limit for this server is greater than 255 bytes,
since openssl s_client succeeds with a 355-byte Client Hello. Ncat's
default on my system is 583 bytes.

Dan

[1] https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance

On Sun, Jan 22, 2017 at 2:09 PM, Jacek Wielemborek <d33tah () gmail com> wrote:

Hi,

Take a look at this:

$ ncat --ssl instalator.upc.pl 443 -vvv
Ncat: Version 6.41SVN ( http://nmap.org/ncat )
NCAT DEBUG: Not doing certificate verification.
libnsock nsi_new2(): nsi_new (IOD #1)
libnsock nsock_connect_ssl(): SSL connection requested to
62.179.2.121:443/tcp (IOD #1) EID 9
libnsock handle_connect_result(): EID 9
error:00000000:lib(0):func(0):reason(0)
libnsock nsock_trace_handler_callback(): Callback: SSL-CONNECT ERROR
[Input/output error (5)] for EID 9 [62.179.2.121:443]
Ncat: Input/output error.

Probably the error is caused by outdated ciphers or something? I think
that the error message should say more.

Cheers,
d33tah
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

"Ncat: Input/output error" when connecting to instalator.upc.pl:443 Jacek Wielemborek (Jan 22)
- Re: "Ncat: Input/output error" when connecting to instalator.upc.pl:443 Daniel Miller (Jan 23)