Increases ncat temporary RSA key size to 2048 bits

This resolves a compatibility issue with OpenSSL library configured with security level 2, as seen on current Debian or Kali. Closes #1310, closes #1409
2026-01-23 22:59:20 +00:00 · 2018-12-20 02:04:02 +00:00
parent fc3c9159be
commit 25db5fbb0d
4 changed files with 9 additions and 4 deletions
--- a/5
+++ b/5
@@ -1,5 +1,10 @@
 #Nmap Changelog ($Id$); -*-text-*-

+o [Ncat][GH#1310][GH#1409] Temporary RSA keys are now 2048-bit to resolve
+  a compatibility issue with OpenSSL library configured with security level 2,
+  as seen on current Debian or Kali.
+  [Adrian Vollmer, nnposter]
+
 o [NSE][GH#1227] Fix a crash (double-free) when using SSH scripts against
  non-SSH services. [Daniel Miller]

--- a/ncat/docs/ncatguide.xml
+++ b/ncat/docs/ncatguide.xml
@@ -459,7 +459,7 @@ Content-Type: text/html; charset=UTF-8
  certificate that clients can verify if they choose. If you start an
  SSL server without using the <option>--ssl-cert</option> and
  <option>--ssl-key</option> options, Ncat will automatically generate a
-  certificate and 1,024-bit RSA key. The certificate will of course not
+  certificate and 2,048-bit RSA key. The certificate will of course not
  be trusted by any application doing certificate verification. In
  verbose mode, the key's fingerprint will be printed so you can do
  manual verification if desired.
@@ -473,7 +473,7 @@ Content-Type: text/html; charset=UTF-8
 <screen>
 $ <userinput>ncat -v --listen --ssl</userinput>
 Ncat ( https://nmap.org/ncat )
-Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a <continuation/>permanent one.
+Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a <continuation/>permanent one.
 SHA-1 fingerprint: F0:13:BF:FB:2D:AA:76:88:22:60:3E:17:93:29:3E:0E:6B:92:C0:2F
 </screen>
  </example>
--- a/ncat/ncat_ssl.c
+++ b/ncat/ncat_ssl.c
@@ -161,7 +161,7 @@ static int ssl_gen_cert(X509 **cert, EVP_PKEY **key);

 /* Parameters for automatic key and certificate generation. */
 enum {
-    DEFAULT_KEY_BITS = 1024,
+    DEFAULT_KEY_BITS = 2048,
    DEFAULT_CERT_DURATION = 60 * 60 * 24 * 365,
 };
 #define CERTIFICATE_COMMENT "Automatically generated by Ncat. See https://nmap.org/ncat/."
--- a/ncat/test/test-wildcard.c
+++ b/ncat/test/test-wildcard.c
@@ -21,7 +21,7 @@ are rejected. The SSL transactions happen over OpenSSL BIO pairs.

 #include "ncat_core.h"

-#define KEY_BITS 1024
+#define KEY_BITS 2048

 static int tests_run = 0, tests_passed = 0;