Increases ncat temporary RSA key size to 2048 bits

This resolves a compatibility issue with OpenSSL library configured with security level 2, as seen on current Debian or Kali. Closes #1310, closes #1409
nmap · Dec 20, 2018 · 25db5fb · 25db5fb
1 parent fc3c915
commit 25db5fb
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 4 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,5 +1,10 @@
 #Nmap Changelog ($Id$); -*-text-*-
 
+o [Ncat][GH#1310][GH#1409] Temporary RSA keys are now 2048-bit to resolve
+  a compatibility issue with OpenSSL library configured with security level 2,
+  as seen on current Debian or Kali.
+  [Adrian Vollmer, nnposter]
+
 o [NSE][GH#1227] Fix a crash (double-free) when using SSH scripts against
   non-SSH services. [Daniel Miller]
 

diff --git a/ncat/docs/ncatguide.xml b/ncat/docs/ncatguide.xml
@@ -459,7 +459,7 @@ Content-Type: text/html; charset=UTF-8
   certificate that clients can verify if they choose. If you start an
   SSL server without using the <option>--ssl-cert</option> and
   <option>--ssl-key</option> options, Ncat will automatically generate a
-  certificate and 1,024-bit RSA key. The certificate will of course not
+  certificate and 2,048-bit RSA key. The certificate will of course not
   be trusted by any application doing certificate verification. In
   verbose mode, the key's fingerprint will be printed so you can do
   manual verification if desired.
@@ -473,7 +473,7 @@ Content-Type: text/html; charset=UTF-8
 <screen>
 $ <userinput>ncat -v --listen --ssl</userinput>
 Ncat ( https://nmap.org/ncat )
-Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a <continuation/>permanent one.
+Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a <continuation/>permanent one.
 SHA-1 fingerprint: F0:13:BF:FB:2D:AA:76:88:22:60:3E:17:93:29:3E:0E:6B:92:C0:2F
 </screen>
   </example>

diff --git a/ncat/ncat_ssl.c b/ncat/ncat_ssl.c
@@ -161,7 +161,7 @@ static int ssl_gen_cert(X509 **cert, EVP_PKEY **key);
 
 /* Parameters for automatic key and certificate generation. */
 enum {
-    DEFAULT_KEY_BITS = 1024,
+    DEFAULT_KEY_BITS = 2048,
     DEFAULT_CERT_DURATION = 60 * 60 * 24 * 365,
 };
 #define CERTIFICATE_COMMENT "Automatically generated by Ncat. See https://nmap.org/ncat/."

diff --git a/ncat/test/test-wildcard.c b/ncat/test/test-wildcard.c
@@ -21,7 +21,7 @@ are rejected. The SSL transactions happen over OpenSSL BIO pairs.
 
 #include "ncat_core.h"
 
-#define KEY_BITS 1024
+#define KEY_BITS 2048
 
 static int tests_run = 0, tests_passed = 0;