Nmap Development mailing list archives
Trusted root CA certificates shipped with Ncat
From: David Fifield <david () bamsoftware com>
Date: Tue, 28 Apr 2009 22:48:59 -0600
Recently Ncat gained the ability to verify server certificates in SSL mode. http://seclists.org/nmap-dev/2009/q2/0197.html If you don't use the --ssl-trustfile option, Ncat tries to use whatever default certificates are installed by the operating system. Where these are depends on how OpenSSL was installed. On Debian they are in /etc/ssl/certs, and in Fedora they are somewhere else but certificate verification works by default on both systems. However the verification didn't work on Windows and Mac OS X because thsoe operating systems don't install their certificates such that they are accessible to OpenSSL. So in order to make certificate verification work out of the box on those platforms, Ncat comes with a default set of trusted certificates. Where to get the certificates was an issue. The cURL project provides a nice script that extracts the trust store from Mozilla source code: http://curl.haxx.se/docs/caextract.html. Fyodor said he had heard that Internet Explorer was more circumspect in what certificates it accepts, so I found a way to extract those too. Indeed, Internet Explorer (actually the certificates are shared by all of Windows) accepts fewer certificates, 107 versus 126 for Mozilla. I ended up going with Microsoft's certificate list. Comments on this decision are welcome. I spent a long time chasing links to see if there is any legal/licensing barrier to distributing these certificates. In general, the individual certificates may be copyrighted by their respective CAs. VeriSign has a click-through license agreement for downloading their root certificate: http://www.verisign.com/repository/roots/pca_certificate.html. Mozilla claims a copyright on their certificate data with their usual tri-license, but any copyright would have to be on the database as a whole and not the individual certificates. So in short, I didn't find any clear answers, but it seems pretty reasonable to distribute these. Here are some relevant links. "What is the 'license of sole ca-bundle.crt?" http://marc.info/?l=apache-modssl&m=108746432525768&w=2 "Legally the root certificates belong to the CAs and are not the copyright of Mozilla." http://sourceforge.net/tracker/index.php?func=detail&aid=1889593&group_id=976&atid=100976 "...there are no licensing issues here really." http://www.issociate.de/board/post/170599/updating_ca-bundle.crt.html "Extract of CA certificates" http://article.gmane.org/gmane.comp.mozilla.security/3531 It would be nice not to have to ship these certificates at all. They are unnecessary on a couple of Linux distributions at least. Windows and Mac OS X do have system-wide lists of trusted certificates, of course, just not in the form that OpenSSL expects. With some platform-specific code (using CryptoAPI on Windows and Keychain on OS X) we could access those certificates and possibly make them work with OpenSSL. Doing this might become a feature creeper task this summer. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Trusted root CA certificates shipped with Ncat David Fifield (Apr 28)