Re: Ncat's ca-bundle.crt file

[David Fifield <david () bamsoftware com>]

On Fri, Nov 14, 2014 at 11:23:58PM -0600, Daniel Miller wrote:
> Ncat comes with a bundle of trusted CA certificates [1] for its SSL/TLS mode.
> This file has not been updated since at least November 2011, and contains
> several out-of-date certs (and probably some revoked ones). The procedures in
> the associated README file are out-of-date since Windows versions after XP get
> their certificates dynamically from Microsoft as needed, so the list present on
> any system is not the complete list.
>
> I see a few alternatives:
>
> 1. We abandon the effort to keep an updated trust list and instead support
> OS-specific ways of obtaining a trust list (doesn't work on Linux, according to
> [2])
>
> 2. We use Mozilla's list, either downloaded from [3] or using the tool
> mentioned in the README
>
> 3. (Not exclusive of the other options) We support a command-line flag to
> specify a trust store.

I think trying to maintain a CA list is a losing game. There are no
incentives on Ncat's side to keep it up to date, so it will always fall
out of date.

We already trust the default OpenSSL trust store (/etc/ssl/certs) by
calling SSL_CTX_set_default_verify_paths in ncat_posix.c. This works
fine on Debian. I think some distros (e.g. Fedora) automatically sync
the OpenSSL and NSS stores. As far as I know though,
SSL_CTX_set_default_verify_paths only does anything on GNU/Linux.

There is already --ssl-trustfile for #3.

David
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/