Simple TLS Listener

2 min readApr 17, 2019


On occasion you need to listen for incoming connections and interact with the data being sent by the client. Most simple way might be with netcat (12345 is the port number to listen to):

$ nc -lvnp 12345

(-l for listen, -v for verbose, this will let you know once a connection is received, -n tells netcat not to resolve host and port names, -p indicates the port to listen on)

When you need to accept a TLS/SSL connection, things get a bit more complicated as regular netcat doesn’t support it.

Option 1 — ncat from nmap

nmap includes a version of netcat called ncat that supports TLS. This is the easiest option as it can also generate a certificate on the fly for you. Example:

$ ncat -lvnp 12345 --ssl

You can specify server certificate and key with--ssl-cert and--ssl-key, they will be automatically generated otherwise. More info:

Option 2 — socat

socat is a more advanced version of netcat that includes numerous useful features. To create a TLS server you will need to generate a server key and certificate first using openssl:

$ openssl req -new -x509 -keyout test.key -out test.crt -nodes
$ cat test.key test.crt > test.pem

Now you can start socat:

$ socat openssl-listen:12345,reuseaddr,cert=test.pem,verify=0,fork stdio

cert specifies key/certificate to use, fork tells socat to listen to multiple connections (useful if you’re connecting using a browser), verify=0 tells socat not to verify client certificate (default is to verify), stdio makes socat to print received data to the screen.




Random rumblings about #InfoSec. The opinions expressed here are my own and not necessarily those of my employer.