SSL Connection

Go To Product Page

The SSL Connection plugin turns IO Ninja into a highly configurable raw SSL client-side terminal.

Basic Setup

  1. In IO Ninja, click the “New Session” dropdown and select “SSL Connection”.

_images/ssl-connection-new-session.png
  1. Type your remote address e.g. “ioninja.com” and click “Connect”.

_images/ssl-connection-address.png
  1. Expand SSL certificates by pressing the [+] button in the log.

_images/ssl-connection-certificate.png
  1. Send packets using the “Transmit” pane and see responses in the log.

_images/ssl-connection-transmit.png

For basic testing, you can try to pull IO Ninja’s logo with the following GET packet:

GET /images/icons/ioninja-256x256.png HTTP/1.1
Host: ioninja.com

Remember to add two blank lines after the last header line to indicate the end of the request.

  1. Adjust settings as needed via the “Settings” button (see “Settings” section below for details).

Settings

_images/ssl-connection-settings.png

Setting

Description

Default

Remote address

Remote address to connect to. Can be specified via IPv4 (127.0.0.1), IPv6 (::1), or a domain name (localhost). Remote address can be suffixed with the remote port after a colon, e.g. ioninja.com:443.

Remote port (default)

Remote port to connect to in cases when a port is not explicitly specified in Remote address.

80

Reconnect

Attempt to reconnect when connection is dropped by the remote node.

False

Reconnect timeout

The delay between reconnect attempts.

3000

Use local address

Bind socket to the specified local address.

False

Adapter

Local network adapter to bind to. Pick one from the list of installed network adapters (or bind to all installed IP4 or all IP6 adapters at once).

Auto

Local port

Local port to bind to. Setting this to 0 auto-selects an available port.

8080

Reuse address

Allow multiple sockets to share the same local address. Maps to the SO_REUSEADDR socket option. Please note, the support and details of implementation for this option are highly platform-specific.

False

TCP Nagle algorithm

Delay transmission to reduce the number of small TCP packets. Maps to the TCP_NODELAY socket option.

False

TCP reset

Drop TCP connections abruptly with a TCP RST packet. Maps to the SO_LINGER socket option.

False

TCP keep-alives

Detect connection loss with TCP keep-alive probes. Maps to the TCP_KEEPALIVE socket option.

False

Cipher suite

Select an OpenSSL cipher mode. OpenSSL ciphers refer to the cryptographic algorithms supported by the OpenSSL library for securing data in transit, typically over SSL/TLS connections. Read more about OpenSSL ciphers here. See avaialble options.

ALL

Use certificate

Whether or not to use a certificate for the SSL connection.

False

Certificate

Specify the file path of the certificate.

Private key

Specify the private key for the certificate.

Verify certificates

Whether or not to verify the certificate of the target SSL server.

False

CA certificate

Specify the file path of the CA certificate to be used for verification.

CA directory

Specify a directory of CA certificates to be used for verification.

Verify depth

Specify the maximum certificate certificate chain length. A certificate chain is a sequence of certificates—starting with the SSL/TLS certificate and followed by one or more Certificate Authority (CA) certificates—that allows the recipient to verify the authenticity and trustworthiness of both the sender and the issuing CAs.

10

Pass hostname (SNI)

Whether or not to pass the hostname during the handshake for SNI (Server Name Indication). SNI is an extension of the TLS networking protocol that enables a client to include the hostname it is trying to connect to as part of the TLS handshake process.

True

Read block size (B)

The size of each individual read block submitted to the underlying transport.

4KB

RX buffer size (B)

The full size of the incoming data (RX) buffer. Affects read throughput.

16KB

TX buffer size (B)

The full size of the outbound data (TX) buffer. Affects write throughput.

16KB

Keep read block size

Don’t merge read blocks in RX buffer. Incoming data blocks coming in quick succession can be merged together so that IO Ninja writes them to log as a whole. When this option is set to True, blocks are written to the log without merging, i.e., exactly as they are received from the underlying transport.

False

Keep write block size

Don’t merge write blocks in TX buffer. Outbound data blocks sent in quick succession can be merged together before submission to the underlying transport. When this option is set to True, blocks are submitted to the transport without merging, i.e., exactly as they are sent by the Transmit or Script panes.

False

RX buffer full notifications

Toggle warnings in log about the incoming data (RX) buffer getting full.

False

Cipher Suite Options

Cipher Suite

Cipher Strings

Description

Encrypted

ALL

All cipher suites are included except for the eNULL ciphers, which must be explicitly enabled if required. Since OpenSSL 1.0.0, the ALL cipher suites are ordered in a reasonable default sequence.

Encrypted & authenticated

ALL !aNULL

Refers to all cipher suites supported by OpenSSL that provide both encryption and authentication. This is achieved by including ALL, which covers all cipher suites except those offering no encryption (eNULL), and excluding aNULL, which represents cipher suites with no authentication. This combination ensures that only secure ciphers that encrypt data and verify the identity of the communicating parties are used.

OpenSSL default

ALL !EXPORT !LOW !aNULL !eNULL !SSLv2

Includes all the ciphers from the ALL category while further excluding specific categories considered insecure or outdated: EXPORT (export-grade weak ciphers), LOW (low-strength ciphers like 64-bit or 56-bit encryption), aNULL (unauthenticated ciphers), eNULL (unencrypted ciphers), and SSLv2 (obsolete and insecure SSL version 2). This selection aims to maintain a high level of compatibility while avoiding known insecure or deprecated cipher suites.

All (including unencrypted)

ALL eNULL

Uses the ALL cipher suite list and explicitly includes eNULL, thereby enabling cipher suites that offer no encryption at all. This setting allows every possible cipher supported by OpenSSL, including those that provide no data confidentiality, which is highly insecure and generally only used for testing or debugging purposes.

Read more about OpenSSL ciphers here.

Note

An example of an adapter dropdown on a typical Windows laptop is shown below:

_images/tcp-proxy-adapters.png