Nmap Development mailing list archives
Re: [NSE] SSL certificate chain and verification
From: David Fifield <david () bamsoftware com>
Date: Mon, 17 Jun 2013 21:29:12 -0700
Thanks Patrik. Can you add documentation for the new result format in nselib/nmap.luadoc, and send a new patch? On Sat, Jun 08, 2013 at 09:24:46PM -0400, Patrik Karlsson wrote:
On Sat, Jun 8, 2013 at 10:24 AM, Jesper Kückelhahn <dev.kyckel () gmail com>wrote:3. Would it be possible to check if the subject CommonName matches either the supplied domain name (assuming that the supplied host is not an IP address) or the reverse lookup ?I will look in to this, it was on my TODO list if the patch caught any attention.
Okay, but this is nontrivial and should be done as a separate patch. Check Ncat's cert_match_dnsname and the tests in ncat/test/test-wildcard.c.
4. If I'm understanding the verification correctly, it uses the local installation of OpenSSL to verify the certificate. If this is the case, then couldn't it be that the results of the verification might vary across different systems, depending on the version of OpenSSL and local list of trusted certificates ? Would it then make sense to include such a list of trusted certificates to nmap, so the results are consistent ? Or am I missing something in my understanding of OpenSSL's verification process ?Correct. Although I'm unsure whether it would be a good idea or not to bundle a cacert.pem file with Nmap. The attached patch adds (in addition to the previous stuff) the ability to add a custom cacert.pem to the nselib/data directory. It will only use this file if it is present, otherwise it will use the system one.
I think this is a bad idea. We already do it for Ncat's certificate store, which means Ncat's certificate store is always out of date. Don't hardcode a name like cacert.pem. Instead provide a script argument allowing someone to use their PEM file in any location, like Ncat's --ssl-trustfile.
On a side note, it seems that the output is a bit off (notice the missing newline at ssl-cert and the indentation level):Thanks, I saw this as well, but didn't change it, I will if I end up committing the patch.
Please don't do that as part of a patch implementing an unrelated feature. Just commit it straight to the trunk. David Fifield _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] SSL certificate chain and verification Patrik Karlsson (May 23)
- Re: [NSE] SSL certificate chain and verification Jesper Kückelhahn (Jun 08)
- Re: [NSE] SSL certificate chain and verification Patrik Karlsson (Jun 08)
- Re: [NSE] SSL certificate chain and verification David Fifield (Jun 17)
- Re: [NSE] SSL certificate chain and verification Patrik Karlsson (Jun 08)
- Re: [NSE] SSL certificate chain and verification Jesper Kückelhahn (Jun 08)