SSL Connection

Go To Product Page

The SSL Connection plugin turns IO Ninja into a highly configurable raw SSL client-side terminal.

Basic Setup

In IO Ninja, click the “New Session” dropdown and select “SSL Connection”.

Type your remote address e.g. “ioninja.com” and click “Connect”.

Expand SSL certificates by pressing the [+] button in the log.

Send packets using the “Transmit” pane and see responses in the log.

For basic testing, you can try to pull IO Ninja’s logo with the following GET packet:

GET /images/icons/ioninja-256x256.png HTTP/1.1
Host: ioninja.com

Remember to add two blank lines after the last header line to indicate the end of the request.

Adjust settings as needed via the “Settings” button (see “Settings” section below for details).

Settings

Setting	Description	Default
Remote address	Remote address to connect to. Can be specified via IPv4 (`127.0.0.1`), IPv6 (`::1`), or a domain name (`localhost`). Remote address can be suffixed with the remote port after a colon, e.g. `ioninja.com:443`.
Remote port (default)	Remote port to connect to in cases when a port is not explicitly specified in Remote address.	80
Reconnect	Attempt to reconnect when connection is dropped by the remote node.	False
Reconnect timeout	The delay between reconnect attempts.	3000
Use local address	Bind socket to the specified local address.	False
Adapter	Local network adapter to bind to. Pick one from the list of installed network adapters (or bind to all installed `IP4` or all `IP6` adapters at once).	Auto
Local port	Local port to bind to. Setting this to `0` auto-selects an available port.	8080
Reuse address	Allow multiple sockets to share the same local address. Maps to the `SO_REUSEADDR` socket option. Please note, the support and details of implementation for this option are highly platform-specific.	False
TCP Nagle algorithm	Delay transmission to reduce the number of small TCP packets. Maps to the `TCP_NODELAY` socket option.	False
TCP reset	Drop TCP connections abruptly with a TCP RST packet. Maps to the `SO_LINGER` socket option.	False
TCP keep-alives	Detect connection loss with TCP keep-alive probes. Maps to the `TCP_KEEPALIVE` socket option.	False
Cipher suite	Select an OpenSSL cipher mode. OpenSSL ciphers refer to the cryptographic algorithms supported by the OpenSSL library for securing data in transit, typically over SSL/TLS connections. Read more about OpenSSL ciphers here. See avaialble options.	ALL
Use certificate	Whether or not to use a certificate for the SSL connection.	False
Certificate	Specify the file path of the certificate.
Private key	Specify the private key for the certificate.
Verify certificates	Whether or not to verify the certificate of the target SSL server.	False
CA certificate	Specify the file path of the CA certificate to be used for verification.
CA directory	Specify a directory of CA certificates to be used for verification.
Verify depth	Specify the maximum certificate certificate chain length. A certificate chain is a sequence of certificates—starting with the SSL/TLS certificate and followed by one or more Certificate Authority (CA) certificates—that allows the recipient to verify the authenticity and trustworthiness of both the sender and the issuing CAs.	10
Pass hostname (SNI)	Whether or not to pass the hostname during the handshake for SNI (Server Name Indication). SNI is an extension of the TLS networking protocol that enables a client to include the hostname it is trying to connect to as part of the TLS handshake process.	True
Read block size (B)	The size of each individual read block submitted to the underlying transport.	4KB
RX buffer size (B)	The full size of the incoming data (RX) buffer. Affects read throughput.	16KB
TX buffer size (B)	The full size of the outbound data (TX) buffer. Affects write throughput.	16KB
Keep read block size	Don’t merge read blocks in RX buffer. Incoming data blocks coming in quick succession can be merged together so that IO Ninja writes them to log as a whole. When this option is set to `True`, blocks are written to the log without merging, i.e., exactly as they are received from the underlying transport.	False
Keep write block size	Don’t merge write blocks in TX buffer. Outbound data blocks sent in quick succession can be merged together before submission to the underlying transport. When this option is set to `True`, blocks are submitted to the transport without merging, i.e., exactly as they are sent by the Transmit or Script panes.	False
RX buffer full notifications	Toggle warnings in log about the incoming data (RX) buffer getting full.	False

Cipher Suite Options

Cipher Suite	Cipher Strings	Description
Encrypted	`ALL`	All cipher suites are included except for the `eNULL` ciphers, which must be explicitly enabled if required. Since OpenSSL 1.0.0, the `ALL` cipher suites are ordered in a reasonable default sequence.
Encrypted & authenticated	`ALL` `!aNULL`	Refers to all cipher suites supported by OpenSSL that provide both encryption and authentication. This is achieved by including `ALL`, which covers all cipher suites except those offering no encryption (`eNULL`), and excluding `aNULL`, which represents cipher suites with no authentication. This combination ensures that only secure ciphers that encrypt data and verify the identity of the communicating parties are used.
OpenSSL default	`ALL` `!EXPORT` `!LOW` `!aNULL` `!eNULL` `!SSLv2`	Includes all the ciphers from the `ALL` category while further excluding specific categories considered insecure or outdated: `EXPORT` (export-grade weak ciphers), `LOW` (low-strength ciphers like 64-bit or 56-bit encryption), `aNULL` (unauthenticated ciphers), `eNULL` (unencrypted ciphers), and `SSLv2` (obsolete and insecure SSL version 2). This selection aims to maintain a high level of compatibility while avoiding known insecure or deprecated cipher suites.
All (including unencrypted)	`ALL` `eNULL`	Uses the `ALL` cipher suite list and explicitly includes `eNULL`, thereby enabling cipher suites that offer no encryption at all. This setting allows every possible cipher supported by OpenSSL, including those that provide no data confidentiality, which is highly insecure and generally only used for testing or debugging purposes.