Skip to content

double the key length of self-signed cert in ncat #1310

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
AdrianVollmer wants to merge 1 commit into from
Closed

double the key length of self-signed cert in ncat #1310

AdrianVollmer wants to merge 1 commit into from

Conversation

@AdrianVollmer
Copy link

@AdrianVollmer AdrianVollmer commented Aug 28, 2018

The default key length was 1024 bit, which leads to this error in a
recent version of Debian Unstable (sid/buster):

Ncat: SSL_CTX_use_certificate(): error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small. QUITTING.

@AdrianVollmer
double the key length of self-signed cert in ncat
92c0307 
The default key length was 1024 bit, which leads to this error in a
recent version of Debian Unstable (sid/buster):

Ncat: SSL_CTX_use_certificate(): error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small. QUITTING.
@AdrianVollmer
Copy link
Author

AdrianVollmer commented Oct 23, 2018

Looks like it has been merged. Thx

@AdrianVollmer
Copy link
Author

AdrianVollmer commented Oct 23, 2018

Nvm, I looked at the wrong branch

@AdrianVollmer AdrianVollmer reopened this Oct 23, 2018
@JJAlexion
Copy link

JJAlexion commented Dec 19, 2018

The default key length was 1024 bit, which leads to this error in a
recent version of Debian Unstable (sid/buster):

Ncat: SSL_CTX_use_certificate(): error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small. QUITTING.

Hi Adrian,
I am getting the same issue when using ncat 7.7. How could I fix it? Sorry if this is a silly question I am new to Linux. thanks.

@AdrianVollmer
Copy link
Author

AdrianVollmer commented Dec 19, 2018

You need to create your own self-signed certificate with a key that is at least 2048 bit and then pass that certificate to ncat using the --ssl-cert and --sl-key parameters. See here: https://stackoverflow.com/a/10176685/1308830

Not sure what the status on this issue here is. According to the mailing list, they plan to merge it: https://seclists.org/nmap-dev/2018/q3/25
Who knows when it will happen

@AdrianVollmer AdrianVollmer mentioned this pull request Dec 19, 2018
Closed
@nnposter
Copy link

nnposter commented Dec 19, 2018

Hopefully this will be resolved by the end of the day. Stay tuned.

@nnposter
Copy link

nnposter commented Dec 20, 2018

Resolved in r37540. Thank you for contributing.

@JJAlexion Even without recompiling ncat, you can work around the issue by adjusting the following line in openssl.cnf from:

CipherString = DEFAULT@SECLEVEL=2

to

CipherString = DEFAULT

If you do not want to apply this change system-wide, you can clone the file and then use environment variable OPENSSL_CONF to force this alternate configuration, such as:

env OPENSSL_CONF=~/openssl-ncat.cnf ncat -l --ssl ....

@nmap-bot nmap-bot closed this in 25db5fb Dec 20, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AdrianVollmer @JJAlexion @nnposter