Nmap Development mailing list archives
Re: [Ncat] ca-bundle.crt contains expired certs
From: David Fifield <david () bamsoftware com>
Date: Fri, 27 May 2011 23:08:36 -0700
On Thu, May 19, 2011 at 06:49:10PM -0500, Daniel Miller wrote:
FYI, The ca-bundle.crt file that Ncat uses for --ssl-verify is out of date. I started by looking to see if any Comodo certificates were in it (remember that fiasco?), but decided to do a verification of the others, as best as I could. I'm sure this is incomplete, since I didn't check for revoked certificates (I don't think). Here's my process: # Split the file into separate certificates, each new file named xxNN where NN is sequential. csplit ca-bundle.crt '/^$/' '{*}' # Loop over the certs and verify for i in xx*; do openssl verify $i; done >verification.txt # Look for expired certs grep -B1 expired verification.txt | grep ^/ By my count, 29 of the 106 certificates are expired. The problem of whom to trust in certificate verification is complex, but in the case of Ncat, there are likely fewer security holes than in the average Web browser, so we can be a little more lenient. It comes down to the use cases: why do Ncat users use the --ssl-verify feature? I can't really answer that, since I don't use it myself. But I think we would best serve the Ncat users by at least updating the file from the Microsoft source that's mentioned in ncat/certs/README.
Thanks for checking this. Having to maintain a CA list is a crummy job to have. I read the EFF's SSL Observatory page at http://www.eff.org/observatory. Their Defcon presentation slides say that Windows 7 has only 19 trusted root certs, though the list can be silently and dynamically expanded. I checked on a new Windows 7 and found only 11: subject=/C=ZA/ST=Western Cape/L=Durbanville/O=Thawte/OU=Thawte Certification/CN=Thawte Timestamping CA subject=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server () thawte com subject=/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign Time Stamping Service Root/OU=NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc. subject=/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority subject=/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority subject=/C=US/O=MSFT/CN=Microsoft Authenticode(tm) Root Authority subject=/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root subject=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority subject=/O=Microsoft Trust Network/OU=Microsoft Corporation/OU=Microsoft Time Stamping Service Root/OU=Copyright (c) 1997 Microsoft Corp. subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority It would probably be better to switch to this much shorter list? David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [Ncat] ca-bundle.crt contains expired certs Daniel Miller (May 19)
- Re: [Ncat] ca-bundle.crt contains expired certs David Fifield (May 27)