From 25db5fbb0d8fb88b6e7f4f298c862cd05ed0f8b1 Mon Sep 17 00:00:00 2001
From: nnposter <nnposter@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Thu, 20 Dec 2018 02:04:02 +0000
Subject: [PATCH] Increases ncat temporary RSA key size to 2048 bits This
 resolves a compatibility issue with OpenSSL library configured with security
 level 2, as seen on current Debian or Kali. Closes #1310, closes #1409

---
 CHANGELOG                 | 5 +++++
 ncat/docs/ncatguide.xml   | 4 ++--
 ncat/ncat_ssl.c           | 2 +-
 ncat/test/test-wildcard.c | 2 +-
 4 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 6e0fd7228..50bb4c6ea 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,10 @@
 #Nmap Changelog ($Id$); -*-text-*-
 
+o [Ncat][GH#1310][GH#1409] Temporary RSA keys are now 2048-bit to resolve
+  a compatibility issue with OpenSSL library configured with security level 2,
+  as seen on current Debian or Kali.
+  [Adrian Vollmer, nnposter]
+
 o [NSE][GH#1227] Fix a crash (double-free) when using SSH scripts against
   non-SSH services. [Daniel Miller]
 
diff --git a/ncat/docs/ncatguide.xml b/ncat/docs/ncatguide.xml
index 9dca93ab4..1e2678d41 100644
--- a/ncat/docs/ncatguide.xml
+++ b/ncat/docs/ncatguide.xml
@@ -459,7 +459,7 @@ Content-Type: text/html; charset=UTF-8
   certificate that clients can verify if they choose. If you start an
   SSL server without using the <option>--ssl-cert</option> and
   <option>--ssl-key</option> options, Ncat will automatically generate a
-  certificate and 1,024-bit RSA key. The certificate will of course not
+  certificate and 2,048-bit RSA key. The certificate will of course not
   be trusted by any application doing certificate verification. In
   verbose mode, the key's fingerprint will be printed so you can do
   manual verification if desired.
@@ -473,7 +473,7 @@ Content-Type: text/html; charset=UTF-8
 <screen>
 $ <userinput>ncat -v --listen --ssl</userinput>
 Ncat ( https://nmap.org/ncat )
-Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a <continuation/>permanent one.
+Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a <continuation/>permanent one.
 SHA-1 fingerprint: F0:13:BF:FB:2D:AA:76:88:22:60:3E:17:93:29:3E:0E:6B:92:C0:2F
 </screen>
   </example>
diff --git a/ncat/ncat_ssl.c b/ncat/ncat_ssl.c
index 86ee8b97f..1539b9814 100644
--- a/ncat/ncat_ssl.c
+++ b/ncat/ncat_ssl.c
@@ -161,7 +161,7 @@ static int ssl_gen_cert(X509 **cert, EVP_PKEY **key);
 
 /* Parameters for automatic key and certificate generation. */
 enum {
-    DEFAULT_KEY_BITS = 1024,
+    DEFAULT_KEY_BITS = 2048,
     DEFAULT_CERT_DURATION = 60 * 60 * 24 * 365,
 };
 #define CERTIFICATE_COMMENT "Automatically generated by Ncat. See https://nmap.org/ncat/."
diff --git a/ncat/test/test-wildcard.c b/ncat/test/test-wildcard.c
index b9a2ef3e5..8eda9e943 100644
--- a/ncat/test/test-wildcard.c
+++ b/ncat/test/test-wildcard.c
@@ -21,7 +21,7 @@ are rejected. The SSL transactions happen over OpenSSL BIO pairs.
 
 #include "ncat_core.h"
 
-#define KEY_BITS 1024
+#define KEY_BITS 2048
 
 static int tests_run = 0, tests_passed = 0;