Trusted root CA certificates shipped with Ncat

[David Fifield <david () bamsoftware com>]

Recently Ncat gained the ability to verify server certificates in SSL
mode.

http://seclists.org/nmap-dev/2009/q2/0197.html

If you don't use the --ssl-trustfile option, Ncat tries to use whatever
default certificates are installed by the operating system. Where these
are depends on how OpenSSL was installed. On Debian they are in
/etc/ssl/certs, and in Fedora they are somewhere else but certificate
verification works by default on both systems.

However the verification didn't work on Windows and Mac OS X because
thsoe operating systems don't install their certificates such that they
are accessible to OpenSSL. So in order to make certificate verification
work out of the box on those platforms, Ncat comes with a default set of
trusted certificates.

Where to get the certificates was an issue. The cURL project provides a
nice script that extracts the trust store from Mozilla source code:
http://curl.haxx.se/docs/caextract.html. Fyodor said he had heard that
Internet Explorer was more circumspect in what certificates it accepts,
so I found a way to extract those too. Indeed, Internet Explorer
(actually the certificates are shared by all of Windows) accepts fewer
certificates, 107 versus 126 for Mozilla. I ended up going with
Microsoft's certificate list. Comments on this decision are welcome.

I spent a long time chasing links to see if there is any legal/licensing
barrier to distributing these certificates. In general, the individual
certificates may be copyrighted by their respective CAs. VeriSign has a
click-through license agreement for downloading their root certificate:
http://www.verisign.com/repository/roots/pca_certificate.html. Mozilla
claims a copyright on their certificate data with their usual
tri-license, but any copyright would have to be on the database as a
whole and not the individual certificates. So in short, I didn't find
any clear answers, but it seems pretty reasonable to distribute these.
Here are some relevant links.
"What is the 'license of sole ca-bundle.crt?"
http://marc.info/?l=apache-modssl&m=108746432525768&w=2
"Legally the root certificates belong to the CAs and are not the
copyright of Mozilla."
http://sourceforge.net/tracker/index.php?func=detail&aid=1889593&group_id=976&atid=100976
"...there are no licensing issues here really."
http://www.issociate.de/board/post/170599/updating_ca-bundle.crt.html
"Extract of CA certificates"
http://article.gmane.org/gmane.comp.mozilla.security/3531

It would be nice not to have to ship these certificates at all. They are
unnecessary on a couple of Linux distributions at least. Windows and Mac
OS X do have system-wide lists of trusted certificates, of course, just
not in the form that OpenSSL expects. With some platform-specific code
(using CryptoAPI on Windows and Keychain on OS X) we could access those
certificates and possibly make them work with OpenSSL. Doing this might
become a feature creeper task this summer.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org