Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

double the key length of self-signed cert in ncat #1310

Closed
wants to merge 1 commit into from

Conversation

Projects
None yet
3 participants
@AdrianVollmer
Copy link

commented Aug 28, 2018

The default key length was 1024 bit, which leads to this error in a
recent version of Debian Unstable (sid/buster):

Ncat: SSL_CTX_use_certificate(): error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small. QUITTING.

double the key length of self-signed cert in ncat
The default key length was 1024 bit, which leads to this error in a
recent version of Debian Unstable (sid/buster):

Ncat: SSL_CTX_use_certificate(): error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small. QUITTING.
@AdrianVollmer

This comment has been minimized.

Copy link
Author

commented Oct 23, 2018

Looks like it has been merged. Thx

@AdrianVollmer

This comment has been minimized.

Copy link
Author

commented Oct 23, 2018

Nvm, I looked at the wrong branch

@AdrianVollmer AdrianVollmer reopened this Oct 23, 2018

@JJAlexion

This comment has been minimized.

Copy link

commented Dec 19, 2018

The default key length was 1024 bit, which leads to this error in a
recent version of Debian Unstable (sid/buster):

Ncat: SSL_CTX_use_certificate(): error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small. QUITTING.

Hi Adrian,
I am getting the same issue when using ncat 7.7. How could I fix it? Sorry if this is a silly question I am new to Linux. thanks.

@AdrianVollmer

This comment has been minimized.

Copy link
Author

commented Dec 19, 2018

You need to create your own self-signed certificate with a key that is at least 2048 bit and then pass that certificate to ncat using the --ssl-cert and --sl-key parameters. See here: https://stackoverflow.com/a/10176685/1308830

Not sure what the status on this issue here is. According to the mailing list, they plan to merge it: https://seclists.org/nmap-dev/2018/q3/25
Who knows when it will happen

@nnposter

This comment has been minimized.

Copy link

commented Dec 19, 2018

Hopefully this will be resolved by the end of the day. Stay tuned.

@nnposter

This comment has been minimized.

Copy link

commented Dec 20, 2018

Resolved in r37540. Thank you for contributing.

@JJAlexion Even without recompiling ncat, you can work around the issue by adjusting the following line in openssl.cnf from:

CipherString = DEFAULT@SECLEVEL=2

to

CipherString = DEFAULT

If you do not want to apply this change system-wide, you can clone the file and then use environment variable OPENSSL_CONF to force this alternate configuration, such as:

env OPENSSL_CONF=~/openssl-ncat.cnf ncat -l --ssl ....

@nmap-bot nmap-bot closed this in 25db5fb Dec 20, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.