Ncat's ca-bundle.crt file

[Daniel Miller <bonsaiviking () gmail com>]

List,

Ncat comes with a bundle of trusted CA certificates [1] for its SSL/TLS
mode. This file has not been updated since at least November 2011, and
contains several out-of-date certs (and probably some revoked ones). The
procedures in the associated README file are out-of-date since Windows
versions after XP get their certificates dynamically from Microsoft as
needed, so the list present on any system is not the complete list.

I see a few alternatives:

1. We abandon the effort to keep an updated trust list and instead support
OS-specific ways of obtaining a trust list (doesn't work on Linux,
according to [2])

2. We use Mozilla's list, either downloaded from [3] or using the tool
mentioned in the README

3. (Not exclusive of the other options) We support a command-line flag to
specify a trust store.

Thoughts?

Dan

[1] https://svn.nmap.org/nmap/ncat/certs/
[2] http://www.chromium.org/Home/chromium-security/root-ca-policy
[3] http://curl.haxx.se/docs/caextract.html

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/