Package: ncat
Version: 7.70+dfsg1-6
When calling ncat 7.70 like so:
ncat --ssl -l -p 4223 -v
It reports:
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and
--ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: 0EE7 DDAD 7284 7826 D49D 9277 B456 371D 1652 C887
Ncat: SSL_CTX_use_certificate(): error:140AB18F:SSL
routines:SSL_CTX_use_certificate:ee key too small. QUITTING.
... and quits.
Expected behavior, as displayed by ncat 7.60:
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and
--ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: 88D6 3917 08F9 A7A2 555A A97F 9567 D863 DC4F C6EF
Ncat: Listening on :::4223
Ncat: Listening on 0.0.0.0:4223
Note that the actual cause might be the OpenSSL version being different
as well. Buster has OpenSSL 1.1.1c, if I'm not mistaken; while the
system where I tried out ncat 7.60 has OpenSSL 1.1.1 (without the "c").
However, if OpenSSL by default requires a minimum key length larger than
1024 bits, then ncat should either default to a larger key length or
offer a commandline parameter to specify an arbitrary key length.
It seems to be fixed in ncat 7.80, which defaults to a 2048-bit key now:
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Generating a temporary 2048-bit RSA key. Use --ssl-key and
--ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: 7612 C7AD 2B90 48DD 6932 2745 A324 F590 3361 16C3
Ncat: Listening on :::4223
Ncat: Listening on 0.0.0.0:4223
Would be possible to either get 7.80 into Buster, or to backport the
particular change into the 7.70 we have in Buster?
I am aware that it is possible to specify a key and cert file; but that
is only acceptable as a workaround, not as a solution.
Kind Regards,
Stefan Baur
