Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ncat server with self-signed certificate accepts connections from ncat client without cetificate #1898

Open
JNA4 opened this issue Jan 26, 2020 · 5 comments
Labels

Comments

@JNA4
Copy link

@JNA4 JNA4 commented Jan 26, 2020

When starting a ncat server with self-signed certificate i was still able to connect to the server as a ncat client without using the certificate. The command to start the server:

ncat --listen --ssl --ssl-cert ca-crt.pem --ssl-key ca.key -vv --broker -p 4001

The command for the client:

ncat --ssl -vvv (hostname) 4001

The response i got back had the line:

Ncat: Certificate verification failed (self signed certificate).

But the connection was still created and i was able to send commands to another device that was also connected to the server.

I tried also running the server command without the first --ssl but that didn't work as well.

I couldn't find anywhere any examples for working with a ncat server with a self-signed certificate.

@nnposter

This comment has been minimized.

Copy link

@nnposter nnposter commented Jan 26, 2020

You want to use options --ssl-verify and --ssl-trustfile on the client side.

@JNA4

This comment has been minimized.

Copy link
Author

@JNA4 JNA4 commented Jan 26, 2020

It works with --ssl-verify and --ssl-trustfile.
The problem is that it also works when i open the client without them...

@nnposter

This comment has been minimized.

Copy link

@nnposter nnposter commented Jan 26, 2020

You are probably commingling different things. Originally you reported the following issue:

The response i got back had the line:

Ncat: Certificate verification failed (self signed certificate).

But the connection was still created and i was able to send commands to another device that was also connected to the server.

This is to be expected. By default the client produces the above-noted warning but proceeds with the connection anyway. If you do not want ncat to make this connection unless the server certificate is validated then you should be using the two options I mentioned. The first one is forcing the client to validate the server certificate and the second one is specifying which authorities are considered trusted.

If you are instead trying to achieve something else then please rephrase the issue.

@JNA4

This comment has been minimized.

Copy link
Author

@JNA4 JNA4 commented Jan 27, 2020

You are right, the 'Certificate verification failed' line is irrelevant here.
Let me rephrase what my issue is:
I am trying to prevent unauthorized clients from connecting to my server.
I opened my server with the line mentioned above. When i tried to connect to it with a client without the certificate it was still able to connect. What do i need to do to make sure that only clients with certificate could connect to my server?

@nnposter

This comment has been minimized.

Copy link

@nnposter nnposter commented Jan 28, 2020

I do not believe that ncat supports certificate authentication of the client. While not ideal, you might be able to put something like socat or haproxy in front of the broker.

@nnposter nnposter added enhancement and removed question labels Jan 29, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.