Using Ncat to Provide SSL-support to Non-Ssl Capable Software

Fri 21 August 2009 Category: Uncategorized

Sometimes, people are using software that does not support encrypted connections using SSL. To provide SSL-support to such a client, ncat can be used. Ncat is part of nmap, the famous port-scanner.

The main principle is that the non-ssl capable software does not connect to the SSL-based service, but to the local host. Ncat will be listening on the localhost and will setup an SSL-connection with the SSL-based service on behalf of the non-ssl capable software.

This simple command allows an application to browse to port 80, and perform regular HTTP-request, while in fact, they are encapsulated within a SSL- connection:

ncat -l 80 -c "ncat (ip-address) (port) --ssl"

The -l option specifies the local port on which the SSL-tunnel will be listening. The ip-address and port refer to the SSL-based service.

So if the client connects to on port 80 it will actually connect through the SSL-tunnel to the external service.

Often stunnel is used for this job but this software craps out on debian Etch with some error like:

SSL routines:SSL3_GET_RECORD:bad decompression

But ncat is an excellent alternative.