Wednesday, August 16, 2006

Nssl

I'm reading a book about VPNs (to be reviewed shortly) and I found myself in the section on SSL. I wondered if a SSL-aware version of Netcat existed.

I know there are versions of Netcat that provide encryption, like Cryptcat, but I did not know of one that supported SSL -- until now.

I found Nssl, which works very well. Consider the following:

orr:/usr/local/src$ fetch
http://superb-east.dl.sourceforge.net/sourceforge/nssl/nssl.005.tgz
nssl.005.tgz 100% of 10 kB 615 kBps
orr:/usr/local/src$ tar -xzvf nssl.005.tgz
x nssl/
x nssl/Makefile
x nssl/nssl.c
x nssl/nssl.h
x nssl/pem_bin.h
x nssl/readme.txt
x nssl/server.pem
x nssl/sock.c
x nssl/sock.h
x nssl/sslut.c
x nssl/sslut.h
x nssl/utils.c
x nssl/utils.h
orr:/usr/local/src$ cd nssl
orr:/usr/local/src/nssl$ make
gcc -Wall -O2 -I /usr/local/ssl/include -c nssl.c
gcc -Wall -O2 -I /usr/local/ssl/include -c sslut.c
gcc -Wall -O2 -I /usr/local/ssl/include -c sock.c
gcc -Wall -O2 -I /usr/local/ssl/include -c utils.c
cc -o nssl nssl.o sslut.o sock.o utils.o -lssl -lcrypto
orr:/usr/local/src/nssl$ ./nssl -h

./nssl [options]

where [options] are:

misc : [-v] to unset autist mode
[-o] to output traffic in hex dump on stderr
[-r] to not use SSL mode (clear text)
[-c] to unset canonical mode for stdin (send data for each keypress)
client: [-b] to read banner and exit (timeout is 4 seconds)
[-p port] to use source port
server: [-l port] to listen on local port (wait for incoming connections)
[-e comm] to execute a command when connection has been established
[-f file] to load a different cert and privkey from PEM file
proxy: [-x port] to bounce from local port to remote host

orr:/usr/local/src/nssl$ ./nssl www.usaa.com 443
HEAD / HTTP/1.0

HTTP/1.1 302 Found
Date: Wed, 16 Aug 2006 20:21:03 GMT
Server: IBM_HTTP_Server
Location: https://www.usaa.com/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1

A quick look with Tcpdump shows the traffic was indeed encrypted. Cool.

Thanks to Hanashi for reminding me of the following:

orr:/home/richard$ openssl s_client -connect www.usaa.com:443
CONNECTED(00000003)
depth=1 /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/ST=Texas/L=San Antonio/O=USAA/OU=EMITS/OU=Terms of use at
www.verisign.com/rpa (c)00/CN=www.usaa.com
i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
1 s:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID5TCCA1KgAwIBAgIQM6eQApUxIPUGYX0HiOZeaDANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXUlNBIERhdGEgU2VjdXJpdHksIEluYy4x
LjAsBgNVBAsTJVNlY3VyZSBTZXJ2ZXIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDUwMTA2MDAwMDAwWhcNMDcwMTA2MjM1OTU5WjCBnjELMAkGA1UEBhMCVVMx
DjAMBgNVBAgTBVRleGFzMRQwEgYDVQQHFAtTYW4gQW50b25pbzENMAsGA1UEChQE
VVNBQTEOMAwGA1UECxQFRU1JVFMxMzAxBgNVBAsUKlRlcm1zIG9mIHVzZSBhdCB3
d3cudmVyaXNpZ24uY29tL3JwYSAoYykwMDEVMBMGA1UEAxQMd3d3LnVzYWEuY29t
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPOc0BV4QWA8nt42ZTaUQbFzFa
4wM+gxLZblZEOaFVOpPVMnDzpBv6zu0UmvpDLoqWjTDTDPiF+VdUrQQTL6jtUjZA
XAcmCKzxm+CHkvWeidgjFdrEaSA6oNcjWEXgBaxU79wBsREGSZc9J779CHuGBK3r
wcl60LC0+15/mZM2tQIDAQABo4IBZDCCAWAwCQYDVR0TBAIwADALBgNVHQ8EBAMC
BaAwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC52ZXJpc2lnbi5jb20vUlNB
U2VjdXJlU2VydmVyLmNybDBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcDMCowKAYI
KwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcw
AYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMG0GCCsGAQUFBwEMBGEwX6FdoFsw
WTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrUSBgs
exkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMA0GCSqG
SIb3DQEBBQUAA34ALmetJRVFq2+sdYy3i9o92Nz2Dzd2yqDTA/+7NKg1zlXFNT2i
nzpsiGQf0fXGLCSoEbsDWv0rKcvi6rekUHuncXUvn5njSfHHzIqL3yVSjs3Qz9bN
LQwwJhzn/NmgSihDeLRNjgxzu5rOArgXhycg6zjORGgFxL1bwoRgiXc=
-----END CERTIFICATE-----
subject=/C=US/ST=Texas/L=San Antonio/O=USAA/OU=EMITS/OU=Terms of use at
www.verisign.com/rpa (c)00/CN=www.usaa.com
issuer=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
---
No client certificate CA names sent
---
SSL handshake has read 1724 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 5A2D000062DF67F204E08ECD2E9F0C7837DF37C9585858585E81E344AF060000
Session-ID-ctx:
Master-Key: 262D4F535ABA0DBB38906C1C377A33FE9620ADBE783BA130278BBB
EA41AE2C4B8CBB2683C823F071BFBC81162DDD7773
Key-Arg : None
Start Time: 1155760473
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
HEAD / HTTP/1.0

HTTP/1.1 302 Found
Date: Wed, 16 Aug 2006 20:34:42 GMT
Server: IBM_HTTP_Server
Location: https://www.usaa.com/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1

read:errno=0

That works too, although it doesn't support the other options in Nssl.

2 comments:

Chris Green said...

http://www.dest-unreach.org/socat/ is the best netcat replacement I've seen. It's saved me countless test programs for playing with various types of sockets.

red said...
This comment has been removed by a blog administrator.