Re: [Ncat] ca-bundle.crt contains expired certs

[David Fifield <david () bamsoftware com>]

On Thu, May 19, 2011 at 06:49:10PM -0500, Daniel Miller wrote:
> FYI,
>
> The ca-bundle.crt file that Ncat uses for --ssl-verify is out of date. I
> started by looking to see if any Comodo certificates were in it (remember
> that fiasco?), but decided to do a verification of the others, as best as I
> could. I'm sure this is incomplete, since I didn't check for revoked
> certificates (I don't think). Here's my process:
>
> # Split the file into separate certificates, each new file named xxNN where
> NN is sequential.
> csplit ca-bundle.crt '/^$/' '{*}'
> # Loop over the certs and verify
> for i in xx*; do openssl verify $i; done >verification.txt
> # Look for expired certs
> grep -B1 expired verification.txt | grep ^/
>
> By my count, 29 of the 106 certificates are expired. The problem of whom to
> trust in certificate verification is complex, but in the case of Ncat, there
> are likely fewer security holes than in the average Web browser, so we can
> be a little more lenient. It comes down to the use cases: why do Ncat users
> use the --ssl-verify feature? I can't really answer that, since I don't use
> it myself. But I think we would best serve the Ncat users by at least
> updating the file from the Microsoft source that's mentioned in
> ncat/certs/README.

Thanks for checking this. Having to maintain a CA list is a crummy job
to have. I read the EFF's SSL Observatory page at
http://www.eff.org/observatory. Their Defcon presentation slides say
that Windows 7 has only 19 trusted root certs, though the list can be
silently and dynamically expanded. I checked on a new Windows 7 and
found only 11:

subject=/C=ZA/ST=Western Cape/L=Durbanville/O=Thawte/OU=Thawte Certification/CN=Thawte Timestamping CA
subject=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium 
Server CA/emailAddress=premium-server () thawte com
subject=/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign Time Stamping Service Root/OU=NO LIABILITY ACCEPTED, 
(c)97 VeriSign, Inc.
subject=/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
subject=/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority
subject=/C=US/O=MSFT/CN=Microsoft Authenticode(tm) Root Authority
subject=/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
subject=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
subject=/O=Microsoft Trust Network/OU=Microsoft Corporation/OU=Microsoft Time Stamping Service Root/OU=Copyright (c) 
1997 Microsoft Corp.
subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

It would probably be better to switch to this much shorter list?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/