Bug 1317924
Summary: | RFC: ncat failing with input/output error with ssl option | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Paulo Andrade <pandrade> | ||||||
Component: | nmap | Assignee: | Pavel Zhukov <pzhukov> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Jaroslav Aster <jaster> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 7.2 | CC: | dmiller, jaster, ksrot, mhlavink, omoris, thozza | ||||||
Target Milestone: | rc | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | nmap-6.40-9.el7 | Doc Type: | If docs needed, set a value | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2018-04-10 08:36:10 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 1460249 | ||||||||
Bug Blocks: | 1298243, 1420851, 1465887, 1465928 | ||||||||
Attachments: |
|
Description
Paulo Andrade
2016-03-15 14:10:57 UTC
reproducible (In reply to Paulo Andrade from comment #0) > I did several tests, but could not find a way to correct the > problem, until I found the "hint" about --sctp on a message, without > replies, at: > > http://seclists.org/nmap-dev/2015/q4/58 Unfortunately, nmap upstream does not really focus on ncat, it's more like see what our libraries can do. I've sent them patches for review a long time ago and it's very difficult to get any response from them. ---- for QE: reproducer needs also -subj '/CN=localhost' as openssl command, or ncat will fail with certificate verification error Created attachment 1136642 [details]
localhost.key
sorry for the bad example creating certs, need to fill manually.
Just attaching ready ones for testing purposes.
Or, do not make the "yes us" pipe, and type:
us
us
us
us
localhost
Created attachment 1136643 [details]
localhost.pem
Hi Michal, Can you attach the patches you said was sent to upstream to the case report? Or where they not related to this issue? I asked the user to be 100% sure to reproduce the problem on a localhost connection, and actually, it does not happen in a localhost connection. I assumed it would fail on localhost connection, but after user telling it works, I tested it better, and can also reproduce the issue if connecting two hosts (and then, it works if using --sctp). (In reply to Paulo Andrade from comment #5) > Can you attach the patches you said was sent to upstream > to the case report? Or where they not related to this issue? > They were not related to this issue. It was just to illustrate, that getting upstream response is close to impossible for example https://github.com/nmap/nmap/issues/157 that is reported upstream with patch for a few years (first mailing list, than issue tracker) with no response I have just fixed this in Nmap upstream r36652. The problem is in the Ncat server, which was treating SSL_read identically to recv: the problem is that SSL_read can return -1 when all that is required is to try the call again. After adding code to check for this condition, the connection is maintained and transfer is successful. This will be included in the next release of Ncat/Nmap. https://github.com/nmap/nmap/commit/ac8b866d73ca4df63c4b336253afd944d44d9c6a Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0661 |