Nmap Development mailing list archives
Re: Ncat's ca-bundle.crt file
From: David Fifield <david () bamsoftware com>
Date: Sun, 16 Nov 2014 15:11:45 -0800
On Fri, Nov 14, 2014 at 11:23:58PM -0600, Daniel Miller wrote:
Ncat comes with a bundle of trusted CA certificates [1] for its SSL/TLS mode. This file has not been updated since at least November 2011, and contains several out-of-date certs (and probably some revoked ones). The procedures in the associated README file are out-of-date since Windows versions after XP get their certificates dynamically from Microsoft as needed, so the list present on any system is not the complete list. I see a few alternatives: 1. We abandon the effort to keep an updated trust list and instead support OS-specific ways of obtaining a trust list (doesn't work on Linux, according to [2]) 2. We use Mozilla's list, either downloaded from [3] or using the tool mentioned in the README 3. (Not exclusive of the other options) We support a command-line flag to specify a trust store.
I think trying to maintain a CA list is a losing game. There are no incentives on Ncat's side to keep it up to date, so it will always fall out of date. We already trust the default OpenSSL trust store (/etc/ssl/certs) by calling SSL_CTX_set_default_verify_paths in ncat_posix.c. This works fine on Debian. I think some distros (e.g. Fedora) automatically sync the OpenSSL and NSS stores. As far as I know though, SSL_CTX_set_default_verify_paths only does anything on GNU/Linux. There is already --ssl-trustfile for #3. David _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Ncat's ca-bundle.crt file Daniel Miller (Nov 14)
- Re: Ncat's ca-bundle.crt file David Fifield (Nov 16)